[Emerging-Sigs] Jorik FakeAV sig

Jason jae.williams at gmail.com
Sat Oct 29 15:40:17 EDT 2011


> 
> alert tcp $EXTERNAL_NET  any -> $HOME_NET $HTTP_PORTS (msg:"UFOISC
> Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)
> 


Forgive me as i do not work often with snort. Would this signature also catch
"/britix/ar"? You should be on guard for this in addition to the /a. Thank you.




More information about the Emerging-sigs mailing list