[Emerging-Sigs] PROPOSED SIG: ET TROJAN W32/DirtJumper DDOS Bot Checkin

Kevin Ross kevross33 at googlemail.com
Mon Oct 24 18:51:39 EDT 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/DirtJumper DDOS Bot Checkin"; flow:established,to_server;
content:"POST"; http_method; content:"HTTP/1.0"; http_header; content:"k=";
http_client_body; depth:2; pcre:"/k\x3D[0-9]{6}/";
classtype:trojan-activity; reference:url,
www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html;
reference:url,http://asert.arbornetworks.com/2011/08/dirt-jumper-caught/;
sid:144991; rev:1;)

For current version.
Regards, Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111024/2d24f3a6/attachment.html


More information about the Emerging-sigs mailing list