[Emerging-Sigs] GBot Rule

waldo kitty wkitty42 at windstream.net
Fri Oct 29 19:21:52 EDT 2010


On 10/29/2010 11:50, evilghost at packetmail.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/29/10 10:40, Matthew Jonkman wrote:
>> Nice catch! I'll post something now.
>
> Matt, I think this would also be a good idea:
>
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
> Suspicious HTTP GET to JPG with query string"; flow:established,to_server;
> content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri;
> isdataat:15,relative; sid:2010xxx; rev:1;)
>
> UNTESTED!

i thought we had one of these already? i do remember conversation about it some 
time back...


More information about the Emerging-sigs mailing list