[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] sid:2808800 negation
From: Darien Huss <dhuss () emergingthreats ! net>
Date: 2014-09-30 14:06:24
Message-ID: CAKcCgkW4QYouAuZvX1=h+Zjf4o0iXLweQCKx9azgwOxYCEpY1w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Marcus, we can get that fixed up today.
Regards,
Darien
On Tue, Sep 30, 2014 at 9:59 AM, Marcus Cymerman <marcuscymerman@gmail.com>
wrote:
> Folks,
>
> Could you please add a negation to the rule sid:2808800?
>
> Host != download.microsoft.com
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO TROJAN
> Win32.Llac.bbeh downloading files"; flow:established,to_server;
> content:"/download/"; http_uri; content:".exe"; http_uri;
> content:"User-Agent|3a 20|Wget/1.11.4|0d 0a|"; fast_pattern:12,11;
> http_header; content:!"Referer|3a 20|"; http_header;
> content:"|20|HTTP/1.0|0d 0a|";
> reference:md5,6516595d1c3968feedd23812c522fedd; classtype:trojan-activity;
> sid:2808800; rev:1;)
>
>
>
> Thanks
>
> Marcus Cymerman
> Cell: 1-786-417-4212
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Thanks Marcus, we can get that fixed up \
today.<br><br></div>Regards,<br>Darien<br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Sep 30, 2014 at 9:59 AM, Marcus Cymerman <span \
dir="ltr"><<a href="mailto:marcuscymerman@gmail.com" \
target="_blank">marcuscymerman@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Folks,<div><br></div><div>Could you please add \
a negation to the rule sid:2808800?</div><div><br></div><div>Host != <a \
href="http://download.microsoft.com" \
target="_blank">download.microsoft.com</a><br></div><div><br></div><div><br></div><div>alert \
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO TROJAN \
Win32.Llac.bbeh downloading files"; flow:established,to_server; \
content:"/download/"; http_uri; content:".exe"; http_uri; \
content:"User-Agent|3a 20|Wget/1.11.4|0d 0a|"; fast_pattern:12,11; \
http_header; content:!"Referer|3a 20|"; http_header; \
content:"|20|HTTP/1.0|0d 0a|"; \
reference:md5,6516595d1c3968feedd23812c522fedd; classtype:trojan-activity; \
sid:2808800; rev:1;)<br></div><div><br></div><div><br></div><div><br></div><div>Thanks</div><span \
class="HOEnZb"><font color="#888888"><div><br clear="all"><div>Marcus \
Cymerman<br>Cell: <a href="tel:1-786-417-4212" value="+17864174212" \
target="_blank">1-786-417-4212</a><br><br><br></div> </div></font></span></div>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic