[Emerging-Sigs] GBot Rule

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 29 11:58:38 EDT 2010


Posting as well, that'll be interesting to see in the field, thanks eg

Matt

On Oct 29, 2010, at 11:50 AM, evilghost at packetmail.net wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/29/10 10:40, Matthew Jonkman wrote:
>> Nice catch! I'll post something now.
> 
> Matt, I think this would also be a good idea:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
> Suspicious HTTP GET to JPG with query string"; flow:established,to_server;
> content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri;
> isdataat:15,relative; sid:2010xxx; rev:1;)
> 
> UNTESTED!
> 
> - -evilghost
> 
>> Matt
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJMyu1KAAoJENgimYXu6xOHGDkP/29OloJkMMc2n/aZbwx0ffyV
> zPeZ/DgK/TN0YibwZ9ZZptlrKTTnDtjpIXMOl4grdusRUJGA1hpokX30D7/q2uWo
> djSw8AEbalsh8LguutQwcW6mGILrq06uUJyGOqzoL8uRCXrJ8Tme0Zmi3qHkLOu7
> Pl3Jw5RxdcxLB8HEp8MqTfFdeioI1oaQDZveO7pAjBpozTsgD6d6AV+y5BfuVUPj
> /HoO2VeVEmNXRyfrF7ESBZfSQm9tcjrAtkb6WoNw1ih9zLkODfTbj87GjCumnqyO
> q3X8ylws5PEIWfkSNI0stAY/F/+Z1MDQtX8FNI3CqU15sMvb/Ddya3xh/YL1DP8t
> aQtTRsW60AX7Dh3+C6Cy13OWtxf5GDkxIZ1MZMGK300H0CmCb4Sd4XjyvLYk2ivt
> Fm6HSjxDzaESKzNTE+qWtYQnyc7a81w0Sh3fPNGY676XmiSOeAdXZ2lx7KKeIN/e
> cTSWoQjg8q2JDDKjtVwxh5iIUFKoGFmvbeLdu5xhpgcUYB/JN421Zl4X1dWHqyVQ
> 0kcpkPrDHagDn+/Iy/vSHBfjlJVWSrhrVeNd+9Ni1n2FM7yteQxhmyuE7uYCKaEC
> lnSi7fhMGI3h7RRJUdES6++PSqG9ZiZhXqhD1m7Fw8xTd1SJjODFhr6MMzhiXo64
> ESY07ZLlYp/VTzaKirjF
> =FqnY
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list