[Emerging-Sigs] mebroot/torpig response packet?

Darren Spruell phatbuckett at gmail.com
Thu Jan 29 23:52:43 EST 2009


Throwing this up for commentary... any worth?

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET TROJAN
Possible Torpig C&C response message (okn)";
flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d
0a|Server\: nginx"; nocase; distance:4; within:300; content:"|0d 0a 0d
0a|okn"; nocase; classtype:trojan-activity;
reference:url,offensivecomputing.net/?q=node/909; sid:XXXXXXX; rev:1;)

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list