[Emerging-Sigs] 72.232.195.26 (contacy.info)
Matt Jonkman
jonkman at jonkmans.com
Wed Jul 9 15:53:41 EDT 2008
Posted, but I dropped the uricontent, jsut went for the user-agent.
Should be reliable.
Thanks
Matt
Philipp Bescht wrote:
> hi,
>
> the following requests are made (among others):
> GET /fd/sea.php?ver=ha3
> GET /rr/srr.php?ver=ha1
>
> with
> User-Agent: clk_jdfhid
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"contacy.info
> trojan checkin"; flow:to_server,established; uricontent:".php?ver=";
> nocase; content:"|0d 0a|User-Agent\: clk_jdfhid|0d 0a|";
> classtype:trojan-activity; sid:2009963; rev:1;)
>
>
> regards,
> philipp
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list