[Emerging-Sigs] carberp sigs

Nick Randolph randolphdavidn at gmail.com
Fri Oct 8 15:37:34 EDT 2010


Should we add in content match for
"POST /set/first.html"
as well?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN
carberp check in"; flow:established,to_server; content:"POST
/set/first.html"; content:"id="; http_client_body; content:"os=";
http_client_body; content:"plist="; http_client_body;
classtype:trojan-activity; sid:5600172; rev:1;)


On 10/8/10, Eoin Miller <eoin.miller at trojanedbinaries.com> wrote:
>   Coworker showed me this blog about carberp:
>
> http://www.trustdefender.com/blog/tag/carberp/
>
> Wrote a signatures to try and find infected hosts when they check-in:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN
> carberp check in"; flow:established,to_server; content:"id=";
> http_client_body; content:"os="; http_client_body; content:"plist=";
> http_client_body; classtype:trojan-activity; sid:5600172; rev:1;)
>
> Based on:
> http://www.trustdefender.com/blog/wp-content/uploads/2010/10/pic3.png
>
> --Eoin
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list