[Emerging-Sigs] SIG: ET TROJAN POST of JPEG to External Web Server - Possible Trojan Data Exfiltration/CnC Technique

Kevin Ross kevross33 at googlemail.com
Wed Oct 19 04:11:28 EDT 2011


I have been running this a while now in my environment an seems to be ok.
Thoughts? Regards, Kevin

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN POST of
JPEG to External Web Server - Possible Trojan Data Exfiltration/CnC
Technique"; flow:established,to_server; content:"POST"; http_method;
content:"|FF D8 FF E0|"; http_client_body; depth:4; content:"|4A 46 49 46
00|"; distance:2; within:5; classtype:trojan-activity; sid:198371; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111019/3ed6003c/attachment.html


More information about the Emerging-sigs mailing list