Yes Sir!<br><br>I&#39;ve moved it from PRO to open since Kevin did build exactly the same rule based on this info <a href="http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/" target="_blank">http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/</a><br>
<br>Thanks Kevin sorry for the delay<br><br>=&gt;<br><br>Message: 1<br>
Date: Tue, 11 Oct 2011 06:43:43 -0400<br>
From: Matthew Jonkman &lt;<a href="mailto:jonkman@emergingthreatspro.com">jonkman@emergingthreatspro.com</a>&gt;<br>
Subject: Re: [Emerging-Sigs] SIGS: Aldi Bot<br>
To: Kevin Ross &lt;<a href="mailto:kevross33@googlemail.com">kevross33@googlemail.com</a>&gt;<br>
Cc: &quot;<a href="mailto:emerging-sigs@emergingthreats.net">emerging-sigs@emergingthreats.net</a>&quot;<br>
        &lt;<a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a>&gt;<br>
Message-ID:<br>
        &lt;<a href="mailto:F270C3A8-B9C1-472D-A2A1-F2748C65BE26@emergingthreatspro.com">F270C3A8-B9C1-472D-A2A1-F2748C65BE26@emergingthreatspro.com</a>&gt;<br>
Content-Type: text/plain; charset=&quot;iso-8859-1&quot;<br>
<br>
Maybe in the Pro sigs and I didn&#39;t notice. Pedro, can you check? If
what we had like this was pro then we&#39;ll move it over to open.<br>
<br>
Thanks!<br>
<br>
Matt<br>
<br>
<br>
On Oct 5, 2011, at 5:57 PM, Kevin Ross wrote:<br>
<br>
&gt; is it? What sids as I just did a grep for &amp;steal= and didn&#39;t find anything.<br>
&gt;<br>
&gt; On 5 October 2011 22:44, Matthew Jonkman &lt;<a href="mailto:jonkman@emergingthreatspro.com">jonkman@emergingthreatspro.com</a>&gt; wrote:<br>
&gt; Already covered! :)<br>
&gt;<br>
&gt; Matt<br>
&gt;<br>
&gt;<br>
&gt; On Oct 5, 2011, at 5:19 PM, Kevin Ross wrote:<br>
&gt;<br>
&gt; &gt; Already submitted from the sandnet for the user agent (I think it is still waiting to be posted).<br>
&gt; &gt;<br>
&gt; &gt; alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS
(msg:&quot;ET TROJAN W32/AldiBot DDOS Bot Checkin&quot;;
flow:established,to_server; content:&quot;/gate.php?hwid=&quot;; http_uri;
content:&quot;&amp;pc=&quot;; http_uri; content:&quot;&amp;localip=&quot;; http_uri;
content:&quot;&amp;winver=&quot;; http_uri; classtype:trojan-activity;
reference:url,<a href="http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/" target="_blank">http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/</a>; sid:1300001; rev:1;)<br>
&gt; &gt;<br>
&gt; &gt; alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS
(msg:&quot;ET TROJAN W32/AldiBot DDOS Bot Sending Stolen Data&quot;;
flow:established,to_server; content:&quot;/gate.php?hwid=&quot;; http_uri;
content:&quot;&amp;steal=&quot;; http_uri; classtype:trojan-activity;
reference:url,<a href="http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/" target="_blank">http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/</a>; sid:1300002; rev:1;)<br>
&gt; &gt;<br>
&gt; &gt; Regards, Kev<br>
&gt;<br>
&gt;<br>
&gt; ------------------------------<div id=":1g">----------------------<br>
&gt; Matt Jonkman<br>
&gt; Emerging Threats Pro<br>
&gt; Open Information Security Foundation (OISF)<br>
&gt; Phone <a href="tel:866-504-2523%20x110" value="+18665042523">866-504-2523 x110</a><br>
&gt; <a href="http://www.emergingthreatspro.com/" target="_blank">http://www.emergingthreatspro.com</a><br>
&gt; <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org</a><br>
&gt; ---------------------------------------------------</div>