[Emerging-Sigs] Errata: MyWebSearch alerts on Dell Support
Jack Pepper
pepperjack at afferentsecurity.com
Mon Mar 24 16:05:00 EST 2008
The original rule was too restrictive and missed a bunch this is better:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Dell MyWay Remote control agent";
> flow: to_server,established; content: "Referer\:
> http\://dell"; depth:100; content:"Host\:"; depth:250;
> content:"myway.com"; nocase; within:20; distance:0;
> classtype:not-suspicious; threshold:type limit, track by_src, count 2,
> seconds 360; sid: 1001663; rev:9;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Malware MyWebSearch Toolbar Traffic (r10)";
> flow: to_server,established; content: !"Referer\:
> http\://dell"; depth:100; content:"Host\:"; depth:250;
> content:"myway.com"; nocase; within:20; distance:0;
> classtype:trojan-activity; threshold:type limit, track by_src, count
> 2, seconds 360; sid: 2001663; rev:10;)
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list