[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs]  sid:2808800 negation
From:       Marcus Cymerman <marcuscymerman () gmail ! com>
Date:       2014-09-30 13:59:09
Message-ID: CAOp5BnLPzYKQXq0zmhkbijTcjVqvk7Gzr5gXSuiTNPJ=VZ8Hsw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Folks,

Could you please add a negation to the rule sid:2808800?

Host != download.microsoft.com


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO TROJAN
Win32.Llac.bbeh downloading files"; flow:established,to_server;
content:"/download/"; http_uri; content:".exe"; http_uri;
content:"User-Agent|3a 20|Wget/1.11.4|0d 0a|"; fast_pattern:12,11;
http_header; content:!"Referer|3a 20|"; http_header;
content:"|20|HTTP/1.0|0d 0a|";
reference:md5,6516595d1c3968feedd23812c522fedd; classtype:trojan-activity;
sid:2808800; rev:1;)



Thanks

Marcus Cymerman
Cell: 1-786-417-4212

[Attachment #5 (text/html)]

<div dir="ltr">Folks,<div><br></div><div>Could you please add a negation to the rule \
sid:2808800?</div><div><br></div><div>Host != <a \
href="http://download.microsoft.com">download.microsoft.com</a><br></div><div><br></div><div><br></div><div>alert \
tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ETPRO TROJAN \
Win32.Llac.bbeh downloading files&quot;; flow:established,to_server; \
content:&quot;/download/&quot;; http_uri; content:&quot;.exe&quot;; http_uri; \
content:&quot;User-Agent|3a 20|Wget/1.11.4|0d 0a|&quot;; fast_pattern:12,11; \
http_header; content:!&quot;Referer|3a 20|&quot;; http_header; \
content:&quot;|20|HTTP/1.0|0d 0a|&quot;; \
reference:md5,6516595d1c3968feedd23812c522fedd; classtype:trojan-activity; \
sid:2808800; rev:1;)<br></div><div><br></div><div><br></div><div><br></div><div>Thanks</div><div><br \
clear="all"><div>Marcus Cymerman<br>Cell: 1-786-417-4212<br><br><br></div> \
</div></div>



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic