[Emerging-Sigs] Daily Ruleset Update Summary 09/092014

waldo kitty wkitty42 at windstream.net
Wed Sep 10 16:35:05 EDT 2014


On 9/10/2014 4:06 PM, rmkml wrote:
> Thx Community and @EmergingThreats team,
>
> Could you share url with this sig please ?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP
> Win32.SoftPulse Retrieving data"; flow:established,to_server; content:"GET";
> http_method; content:"/maxpower-static/"; http_uri; fast_pattern:only;
> content:"templates/"; offset:17; depth:10; http_uri; content:!"Referer|3a|";
> http_header; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5;
> classtype:trojan-activity; sid:2019143; rev:2;)
>
> because I am curious with offset/depth.

if i'm reading references.conf correctly, that url would be

http://www.threatexpert.com/report.aspx?md5=4aa02ca6a3f04cf445924a6d657d10e5

i don't know how to get to the actual item, though...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.


More information about the Emerging-sigs mailing list