[Emerging-Sigs] Misfires on 2001685
Jack Pepper
pepperjack at afferentsecurity.com
Fri May 23 09:05:37 EDT 2008
The "MZ" string keeps showing up in real BMP files (statistically,
this rule should misfire one time out of every 256 BMP files). So I
altered it to require that the exe magic string must come at the
beginning of the attached file:
--- Before ---
alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows
executable sent when remote host claims to send an image"; flow:
established; content:"Content-Type\: image"; content:"MZ"; within: 12;
classtype: trojan-activity; sid: 2001685; rev:4;)
--- After ---
alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows
executable sent when remote host claims to send an image"; flow:
established; content:"Content-Type\: image"; content:"|0d|MZ"; within:
12; classtype: trojan-activity; sid: 2001685; rev:5;)
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list