[Emerging-Sigs] Daily Ruleset Update Summary 09/092014

rmkml rmkml at yahoo.fr
Wed Sep 10 16:42:33 EDT 2014


Thx Waldo,

For example found on this link:
(http://www.sophos.com/fr-fr/threat-center/threat-analyses/adware-and-puas/SoftPulse/detailed-analysis.aspx)

http://stan.mxp2098.com/maxpower-static/templates/2014/04/406b6f4a-c4b9-11e3-81ee-06a3579b0dab/css/images/bg_app.png
http://stan.mxp2098.com/maxpower-static/templates/2014/04/406b6f4a-c4b9-11e3-81ee-06a3579b0dab/css/style.css
http://stan.mxp2098.com/maxpower-static/templates/2014/04/406b6f4a-c4b9-11e3-81ee-06a3579b0dab/t2/css/style.css

"/maxpower-static/" lenght is exactly 17, but why splitted two http_uri content ?

Maybe replace with?
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; 
content:"GET"; http_method; content:"/maxpower-static/templates/"; depth:27; http_uri; content:!"Referer|3a|"; http_header; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:trojan-activity; sid:2019143; rev:3;)

Regards
@Rmkml


On Wed, 10 Sep 2014, waldo kitty wrote:

> On 9/10/2014 4:06 PM, rmkml wrote:
>>  Thx Community and @EmergingThreats team,
>>
>>  Could you share url with this sig please ?
>>
>>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP
>>  Win32.SoftPulse Retrieving data"; flow:established,to_server;
>>  content:"GET";
>>  http_method; content:"/maxpower-static/"; http_uri; fast_pattern:only;
>> content: "templates/"; offset:17; depth:10; http_uri; 
>> content: content:!"Referer|3a|";
>>  http_header; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5;
>>  classtype:trojan-activity; sid:2019143; rev:2;)
>>
>>  because I am curious with offset/depth.
>
> if i'm reading references.conf correctly, that url would be
>
> http://www.threatexpert.com/report.aspx?md5=4aa02ca6a3f04cf445924a6d657d10e5
>
> i don't know how to get to the actual item, though...


More information about the Emerging-sigs mailing list