[Emerging-Sigs] ET TROJAN HTTP Post with Double Accept header; sid 2008975

Nathaniel Richmond nate+emerging at richmond-family.org
Fri Jan 9 09:35:19 EST 2009


FYI,

With regard to this alert, in at least some instances it seems to be
associated with DRM. I've seen it trigger because of double accept
headers going to drm.cbtnuggets.com, get.zune.net and
wmdrm.windowsmedia.com. The User-Agent has been Windows-Media-DRM of
one version or another, e.g. "Windows-Media-DRM/11.0.5721.5145".

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN HTTP
Post with Double Accept header - Likely Trojan Activity";
flow:established,to_server; content:"POST "; depth:5; content:"|0d
0a|Accept\: Accept\: "; within:200; classtype:trojan-activity;
sid:2008975; rev:1;)

Nate


More information about the Emerging-sigs mailing list