[Emerging-Sigs] Unknown C&C sample

[Michael Stone]

On Mon, Mar 17, 2008 at 01:48:49PM -0400, Matt Jonkman wrote:
>alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS 
>Unknown Trojan CnC Channel Keepalive Ping"; flow:established,to_server; 
>dsize:<25; content:"|12 00 00 00|"; depth:4; classtype:trojan-activity; 
>sid:2008010; rev:1;)

This seems to be falsing on mysql traffic. (Pattern observed is "|12 00 
00 00|SELECT...", dport 3306/tcp)

Mike Stone