[Emerging-Sigs] 17PHolmes.cmt
Matt Jonkman
jonkman at jonkmans.com
Wed Jul 9 15:45:49 EDT 2008
Philipp Bescht wrote:
> now i can think of two variants to check for this and would like to know
> your opinion on what is best:
>
> alert tcp $HOME_NET any -> 206.251.244.226 $HTTP_PORTS
> (msg:"Trojan-Downloader.Win32.Homles.br download";
> flow:established,to_server; uricontent:"/17PHolmes.cmt";
> classtype:trojan-activity; sid:2009962; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"Trojan-Downloader.Win32.Homles.br download";
> flow:established,to_server; uricontent:"/17PHolmes.cmt"; content:"|0d
> 0a|Host\: "; within: 15; content:"wrs.mcboo.com|0d 0a|"; nocase;
> classtype:trojan-activity; sid:2009962; rev:1;)
>
> what would you prefer? or is there even a better way?
I think the first is better. But considering the amount of crap we see
from mcboo.com it might be worth just a sig for ANYTHING mcboo.com :)
But I'll post the first version in case other domains are in use. Will
put it into current events.
Thanks Philipp!
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list