[Emerging-Sigs] FP 2013520

harry.tuttle harry.tuttle at zoho.com
Fri Oct 28 11:57:36 EDT 2011


I don't know what the intended traffic looks like, so I think the best I can do is to negate the host.

Regards,
Harry


Current
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d+/U"; classtype:trojan-activity; sid:2013520; rev:1;)

Proposed
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; content: !"Host|3a 20|media.hometeamsonline.com|0d 0a|"; http_header; pcre:"/\.jpg\?t\x3d\d\.\d+/U"; classtype:trojan-activity; sid:2013520; rev:2;)



More information about the Emerging-sigs mailing list