alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader Sending Mac Adress"; flow:established,to_server; content:"GET "; depth:4; uricontent:"x="; nocase; uricontent:"&y="; nocase; uricontent:"&z="; nocase; pcre:"/[0-9A-Fa-f]{6}/Ui"; reference:url,doc.emergingthreats.net/20010631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:20010631; rev:2;)

Added 2010-01-07 16:45:42 UTC

This one falses on geolocation traffic:

9:05:09.839393 IP 172.17.12.29.2045 > 174.129.246.93.80: P 4171586717:4171587368(651) ack 4008472241 win 65535                                                 
        0x0000:  4500 02b3 0ad1 4000 8006 9066 ac11 0c1d  E.....@....f....      
        0x0010:  ae81 f65d 07fd 0050 f8a5 5c9d eeec 6eb1  ...]...P..\...n.      
        0x0020:  5018 ffff e9f2 0000 4745 5420 2f73 7477  P.......GET./stw      
        0x0030:  2f73 7477 6765 7461 642f 6765 7461 6432  /stwgetad/getad2      
        0x0040:  3f70 7562 6c69 7368 6572 3d35 3438 2678  ?publisher=548&x      
        0x0050:  3d31 3331 3026 793d 3331 3636 267a 3d31  =1310&y=3166&z=1      
        0x0060:  3326 6164 5f73 697a 6573 3d5b 5d26 7075  3&ad_sizes=[]&pu      
        0x0070:  7368 7069 6e73 3d7b 2264 6566 6175 6c74  shpins={"default      
        0x0080:  223a 6661 6c73 657d 2672 6571 6964 3d31  ":false}&reqid=1      
        0x0090:  266c 6174 3d33 372e 3736 3033 3938 3838  &lat=37.76039888      
        0x00a0:  3732 3532 3133 266c 6f6e 3d2d 3132 322e  725213&lon=-122.      
        0x00b0:  3430 3039 3939 3036 3932 3133 3838 2661  40099906921388&a      
        0x00c0:  7069 5f76 6572 3d31 3030 3030 3030 2672  pi_ver=1000000&r      
        0x00d0:  616e 643d 302e 3731 3132 3331 3636 3930  and=0.7112316690      
        0x00e0:  3834 3934 3134 2620 4854 5450 2f31 2e31  849414&.HTTP/1.1      
        0x00f0:  0d0a 4163 6365 7074 3a20 2a2f 2a0d 0a52  ..Accept:.*/*..R      
        0x0100:  6566 6572 6572 3a20 6874 7470 3a2f 2f72  eferer:.http://r      
        0x0110:  6561 6c65 7374 6174 652e 7366 6761 7465  ealestate.sfgate      
        0x0120:  2e63 6f6d 2f68 6f6d 6573 2f50 4f54 5245  .com/homes/POTRE      
        0x0130:  524f 2d53 414e 2d46 5241 4e43 4953 434f  RO-SAN-FRANCISCO      
        0x0140:  2d43 412d 5553 410d 0a41 6363 6570 742d  -CA-USA..Accept-      

-- JackPepper - 08 Jan 2010


Topic revision: r2 - 2010-01-08 - JackPepper
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats