[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Correction:ET MALWARE Possible FakeAV Binary Download
From:       kevross33 () googlemail ! com (Kevin Ross)
Date:       2011-04-30 17:37:26
Message-ID: BANLkTi=UjXR4CeYWQdfmy2FFSdqxNDHPAA () mail ! gmail ! com
[Download RAW message or body]

I missed the v of the antiv in the PCRE. no worries though as the antiv
content match would take care of it.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE
Possible FakeAV Binary Download"; flow:established,to_client;
content:"filename=|22|"; http_header; nocase; content:"antiv"; fast_pattern;
nocase; http_header; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv/Hi";
classtype:trojan-activity; sid:2012753; rev:2;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20110430/d06b1b3d/attachment.html



[prev in list] [next in list] [prev in thread] [next in thread]