[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] KLog Nick sig
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2008-06-25 18:29:34
Message-ID: 48628E8E.9010901 () jonkmans ! com
[Download RAW message or body]
I thin kyou're right, we can drop the auth. The UA and other match are
so unique it'll be good.
I'll post it that way, thanks!
Matt
Marcus wrote:
> ref: f94837651cf2decefb4b754c718046df
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> SPYWARE-PUT - KLog Nick Keylogger Checkin";
> flow:established,to_server; content:"POST"; depth:5;
> uricontent:"/Auth.php"; content:"|0d 0a|User-Agent\: Mozilla/3.0
> (compatible\; Indy Library)"; content:"Nick+Key+Ativado";
> classtype:successful-recon-limited; nocase; sid:99999; rev:1;)
>
> I'm not sure if this is too restrictive, I haven't seen any other
> examples of this keylogger, so I am not sure if they will all use
> Auth.php. So, maybe it would be better to change the uricontent to
> just .php.
>
> Cheers,
> Marc
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic