[Emerging-Sigs] Jorik FakeAV sig

waldo kitty wkitty42 at windstream.net
Thu Oct 27 16:45:23 EDT 2011


On 10/27/2011 14:50, Packet Hack wrote:
> Seeing this in conjunction with some other FakeAV traffic:
>
>    GET /britix/a HTTP/1.1
>    Accept: */*
>    Accept-Language: en
>    User-Agent: Internet Explorer
>    Host: open-994233.com
>    Connection: Keep-Alive
>
> QND rule:
>
> alert tcp $EXTERNAL_NET  any ->  $HOME_NET $HTTP_PORTS (msg:"UFOISC
> Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)

how about a rule (or two) for that obviously fake UA, too ;)



More information about the Emerging-sigs mailing list