[Emerging-Sigs] Fake AV sig

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 20 12:48:17 EDT 2011

We've got a bunch of these in the sandnet. The url is very consistent, and it uses a UA of Mozilla/3.0 (compatible; Indy Library).

I'll add the UA, and a couple of the uri parameters and get it posted. 

Thanks Mr Hack! :)


On Oct 19, 2011, at 1:18 PM, Packet Hack wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Zentom FakeAV Checkin"; flow:established,to_server;
> content:".php?prodclass="; fast_pattern:only; http_uri; sid:XXXXXX;
> rev:1;)
> Examples here:
>  http://www.threatexpert.com/report.aspx?md5=c7204c89947a07a15408569a406ab59a
> Looks like a couple of different checkin types, we could go for
> two more specific rules or just stay with this.
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list