[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Correction:ET MALWARE Possible FakeAV Binary Download
From: kevross33 () googlemail ! com (Kevin Ross)
Date: 2011-04-30 17:37:26
Message-ID: BANLkTi=UjXR4CeYWQdfmy2FFSdqxNDHPAA () mail ! gmail ! com
[Download RAW message or body]
I missed the v of the antiv in the PCRE. no worries though as the antiv
content match would take care of it.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE
Possible FakeAV Binary Download"; flow:established,to_client;
content:"filename=|22|"; http_header; nocase; content:"antiv"; fast_pattern;
nocase; http_header; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv/Hi";
classtype:trojan-activity; sid:2012753; rev:2;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20110430/d06b1b3d/attachment.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic