[Emerging-Sigs] Jorik FakeAV sig

Jason jae.williams at gmail.com
Sat Oct 29 15:40:17 EDT 2011

> alert tcp $EXTERNAL_NET  any -> $HOME_NET $HTTP_PORTS (msg:"UFOISC
> Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)

Forgive me as i do not work often with snort. Would this signature also catch
"/britix/ar"? You should be on guard for this in addition to the /a. Thank you.

More information about the Emerging-sigs mailing list