Changeset 479

Show
Ignore:
Timestamp:
09/30/08 00:11:04 (2 months ago)
Author:
mbr
Message:

content match fix for Emerging Threats Snort rule ID 2007975 (Frank Joncourt)

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • fwsnort/trunk/deps/snort_rules/emerging-all.rules

    r446 r479  
    23332333alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Online Report"; flow:established,to_server; uricontent:"/up.html?"; nocase; uricontent:"set="; nocase; uricontent:"pid="; nocase; uricontent:"&mac="; nocase; classtype:trojan-activity; sid:2007954; rev:1;) 
    23342334alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cygo Checkin"; flow:established,to_server; uricontent:"/count.php?"; nocase; uricontent:"type="; nocase; uricontent:"partner="; nocase; uricontent:"&mac="; nocase; uricontent:"ver="; nocase; classtype:trojan-activity; sid:2007955; rev:1;) 
    2335 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Trojan Checkin"; flow:established,to_server; uricontent:".php?pid="; nocase; uricontent:"mac="; nocase; uricontent:="&amd"; nocase; uricontent:"&win64="; nocase; classtype:trojan-activity; sid:2007975; rev:1;) 
     2335alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Trojan Checkin"; flow:established,to_server; uricontent:".php?pid="; nocase; uricontent:"mac="; nocase; uricontent:"&amd="; nocase; uricontent:"&win64="; nocase; classtype:trojan-activity; sid:2007975; rev:1;) 
    23362336alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https)"; flow:established,to_server; content:"|0d 0a|User-Agent\: https|0d 0a|"; nocase; classtype:trojan-activity; sid:2008019; rev:1;) 
    23372337