[Emerging-Sigs] Jorik FakeAV sig

Packet Hack pckthck at gmail.com
Thu Oct 27 14:50:08 EDT 2011

Seeing this in conjunction with some other FakeAV traffic:

  GET /britix/a HTTP/1.1
  Accept: */*
  Accept-Language: en
  User-Agent: Internet Explorer
  Host: open-994233.com
  Connection: Keep-Alive

QND rule:

alert tcp $EXTERNAL_NET  any -> $HOME_NET $HTTP_PORTS (msg:"UFOISC
Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)

-- pckthck

More information about the Emerging-sigs mailing list