[Emerging-Sigs] sid:2808800 negation

Marcus Cymerman marcuscymerman at gmail.com
Tue Sep 30 09:59:09 EDT 2014


Folks,

Could you please add a negation to the rule sid:2808800?

Host != download.microsoft.com


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO TROJAN
Win32.Llac.bbeh downloading files"; flow:established,to_server;
content:"/download/"; http_uri; content:".exe"; http_uri;
content:"User-Agent|3a 20|Wget/1.11.4|0d 0a|"; fast_pattern:12,11;
http_header; content:!"Referer|3a 20|"; http_header;
content:"|20|HTTP/1.0|0d 0a|";
reference:md5,6516595d1c3968feedd23812c522fedd; classtype:trojan-activity;
sid:2808800; rev:1;)



Thanks

Marcus Cymerman
Cell: 1-786-417-4212
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140930/2fd5eec3/attachment-0001.html>


More information about the Emerging-sigs mailing list