And another for this. In samples on 2 ports (3163 &amp; 8181 or something) making like this to avoid false negatives as not sure if may be others used).<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 1024: (msg:&quot;ET TROJAN W32/Mebromi Bios Rootkit CnC Count Checkin&quot;; flow:established,to_server; content:&quot;/Count.asp?UserID=&quot;; offset:4; depth:25; content:&quot;&amp;MAC=&quot;; distance:1; within:10; content:&quot;&amp;Process=&quot;; distance:0; classtype:trojan-activity; reference:url,<a href="http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20">http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20</a>; reference:url,<a href="http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/">http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/</a>; sid:1232323; rev:1;)  <br>
<br>Kev<br><br><div class="gmail_quote">On 4 October 2011 19:44, Kevin Ross <span dir="ltr">&lt;<a href="mailto:kevross33@googlemail.com">kevross33@googlemail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt&quot;; flow:established,to_client; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; content:&quot;.pdf|22|&gt;&lt;|2F|iframe&gt;&quot;; nocase; distance:0; classtype:attempted-user; reference:bid,49933; reference:cve,2011-2841; sid:1330091; rev:1;)<br>

<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 806 (msg:&quot;ET TROJAN W32/Mebromi Bios Rootkit CnC Checkin&quot;; flow:established,to_server; content:&quot;.php?userid=&quot;; content:&quot;&amp;time=&quot;; distance:0; content:&quot;&amp;msg=&quot;; distance:0; content:&quot;&amp;ver=&quot;; distance:0; content:&quot;&amp;os=&quot;; distance:0; content:&quot;&amp;fy=&quot;; distance:0; content:&quot;&amp;pauid=&quot;; distance:0; content:&quot;&amp;checkId=&quot;; distance:0; classtype:trojan-activity; reference:url,<a href="http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20" target="_blank">http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20</a>; reference:url,<a href="http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" target="_blank">http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/</a>; sid:1232321; rev:1;)<br>

<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET TROJAN W32/Mebromi Bios Rootkit CnC Checkin 2&quot;; flow:established,to_server; content:&quot;.asp?ver=&quot;; http_uri; content:&quot;&amp;tgid=&quot;; http_uri; content:&quot;&amp;address=&quot;; http_uri; content:&quot;&amp;flag=&quot;; http_uri; content:&quot;&amp;alexa=&quot;; http_uri; content:&quot;&amp;List=&quot;; http_uri; classtype:trojan-activity; reference:url,<a href="http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20" target="_blank">http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20</a>; reference:url,<a href="http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" target="_blank">http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/</a>; sid:1232322; rev:1;)<br>

<br>Regards, Kevin<br>
</blockquote></div><br>