#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:00:56 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:7;)

Added 2013-11-11 19:42:44 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:6;)

Added 2011-10-12 19:23:35 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007669; sid:2007669; rev:6;)

Added 2011-09-14 22:37:07 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Nulprot; sid:2007669; rev:6;)

Added 2011-02-04 17:26:47 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Nulprot; sid:2007669; rev:5;)

Added 2009-02-13 19:30:23 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Nulprot; sid:2007669; rev:5;)

Added 2009-02-13 19:30:23 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:4;)

Added 2008-01-31 10:12:23 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:4;)

Added 2008-01-31 10:12:23 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:3;)

Added 2008-01-09 17:42:41 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:3;)

Added 2008-01-09 17:42:41 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:3;)

Added 2008-01-09 15:15:19 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:3;)

Added 2008-01-09 15:15:19 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:3;)

Added 2008-01-08 20:25:20 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:3;)

Added 2008-01-08 20:25:20 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"HTTP/1.0 200 OK|0d 0a|Encryption\: on|0d 0a|Content-Length\: "; offset:0; depth:49; reference:url,doc.bleedingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:2;)

Added 2007-11-07 03:15:30 UTC

Interesting Nulprot trojan. It's reply from an http get has a header field called Encryption:. That's a new one:

0000   48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d  HTTP/1.0 200 OK.
0010   0a 45 6e 63 72 79 70 74 69 6f 6e 3a 20 6f 6e 0d  .Encryption: on.
0020   0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a  .Content-Length:
0030   20 34 30 0d 0a 0d 0a a4 30 30 6a a0 e0 00 20 52   40.....00j... R
0040   a8 00 b8 60 d0 f8 38 c0 e0 08 18 f0 e8 30 d0 e2  ...`..8......0..
0050   18 79 39 e0 d9 49 3a 30 30 73 7b f0 5a e8 e8     .y9..I:00s{.Z..

Please let me know about false positives. This isn't a legitimate header field, but might be in use against rfc somewhere.

-- MattJonkman - 07 Nov 2007


Topic revision: r2 - 2007-11-07 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats