[Emerging-Sigs] FP FIX: ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity
kevross33 at googlemail.com
Fri Oct 21 07:07:38 EDT 2011
It seems blackberry devices POST an XML with some information about the
device to a URI of preAuth. I propose just simply negating the blackberry
website to make sure it isn't this.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE
XML Style POST Of IMSI International Mobile Subscriber Identity";
flow:established,to_server; content:"POST"; http_method; content:!"
blackberry.com"; nocase; http_header; nocase; content:"<IMSI>";
http_client_body; nocase; content:"<|2F|IMSI"; nocase; http_client_body;
classtype:trojan-activity; sid:2013139; rev:3;)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs