[Emerging-Sigs] Torpig Ping-Pong Keepalives

Packet Hack pckthck at gmail.com
Fri Oct 21 14:02:20 EDT 2011


2010824/ET TROJAN Torpig Ping-Pong Keepalives Outbound
2010825/ET TROJAN Torpig Ping-Pong Keepalives Inbound

Is this what I should be looking for?

  PING :3725369297
  PONG :3725369297
  PING :BE4795F4
  PING :localhost

The rules seems like they'd trip a lot

  flow:to_server; dsize:<20; content:"PONG |3a|"; depth:6; reference:url...

-- pckthck


More information about the Emerging-sigs mailing list