[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] sid:2808800 negation
From: Marcus Cymerman <marcuscymerman () gmail ! com>
Date: 2014-09-30 13:59:09
Message-ID: CAOp5BnLPzYKQXq0zmhkbijTcjVqvk7Gzr5gXSuiTNPJ=VZ8Hsw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Folks,
Could you please add a negation to the rule sid:2808800?
Host != download.microsoft.com
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO TROJAN
Win32.Llac.bbeh downloading files"; flow:established,to_server;
content:"/download/"; http_uri; content:".exe"; http_uri;
content:"User-Agent|3a 20|Wget/1.11.4|0d 0a|"; fast_pattern:12,11;
http_header; content:!"Referer|3a 20|"; http_header;
content:"|20|HTTP/1.0|0d 0a|";
reference:md5,6516595d1c3968feedd23812c522fedd; classtype:trojan-activity;
sid:2808800; rev:1;)
Thanks
Marcus Cymerman
Cell: 1-786-417-4212
[Attachment #5 (text/html)]
<div dir="ltr">Folks,<div><br></div><div>Could you please add a negation to the rule \
sid:2808800?</div><div><br></div><div>Host != <a \
href="http://download.microsoft.com">download.microsoft.com</a><br></div><div><br></div><div><br></div><div>alert \
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO TROJAN \
Win32.Llac.bbeh downloading files"; flow:established,to_server; \
content:"/download/"; http_uri; content:".exe"; http_uri; \
content:"User-Agent|3a 20|Wget/1.11.4|0d 0a|"; fast_pattern:12,11; \
http_header; content:!"Referer|3a 20|"; http_header; \
content:"|20|HTTP/1.0|0d 0a|"; \
reference:md5,6516595d1c3968feedd23812c522fedd; classtype:trojan-activity; \
sid:2808800; rev:1;)<br></div><div><br></div><div><br></div><div><br></div><div>Thanks</div><div><br \
clear="all"><div>Marcus Cymerman<br>Cell: 1-786-417-4212<br><br><br></div> \
</div></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic