[Emerging-Sigs] sid:2808800 negation

Darien Huss dhuss at emergingthreats.net
Tue Sep 30 10:06:24 EDT 2014


Thanks Marcus, we can get that fixed up today.

Regards,
Darien

On Tue, Sep 30, 2014 at 9:59 AM, Marcus Cymerman <marcuscymerman at gmail.com>
wrote:

> Folks,
>
> Could you please add a negation to the rule sid:2808800?
>
> Host != download.microsoft.com
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO TROJAN
> Win32.Llac.bbeh downloading files"; flow:established,to_server;
> content:"/download/"; http_uri; content:".exe"; http_uri;
> content:"User-Agent|3a 20|Wget/1.11.4|0d 0a|"; fast_pattern:12,11;
> http_header; content:!"Referer|3a 20|"; http_header;
> content:"|20|HTTP/1.0|0d 0a|";
> reference:md5,6516595d1c3968feedd23812c522fedd; classtype:trojan-activity;
> sid:2808800; rev:1;)
>
>
>
> Thanks
>
> Marcus Cymerman
> Cell: 1-786-417-4212
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140930/0e6b048f/attachment.html>


More information about the Emerging-sigs mailing list