[Emerging-Sigs] Errata: MyWebSearch alerts on Dell Support
Matt Jonkman
jonkman at jonkmans.com
Mon Mar 24 18:14:03 EST 2008
Very nice Jack. Posting these now.
Matt
Jack Pepper wrote:
> The original rule was too restrictive and missed a bunch this is better:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>> Dell MyWay Remote control agent";
>> flow: to_server,established; content: "Referer\:
>> http\://dell"; depth:100; content:"Host\:"; depth:250;
>> content:"myway.com"; nocase; within:20; distance:0;
>> classtype:not-suspicious; threshold:type limit, track by_src, count 2,
>> seconds 360; sid: 1001663; rev:9;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>> Malware MyWebSearch Toolbar Traffic (r10)";
>> flow: to_server,established; content: !"Referer\:
>> http\://dell"; depth:100; content:"Host\:"; depth:250;
>> content:"myway.com"; nocase; within:20; distance:0;
>> classtype:trojan-activity; threshold:type limit, track by_src, count
>> 2, seconds 360; sid: 2001663; rev:10;)
>
>
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list