alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; pcre:"/^Host\x3a\x200x[0-9a-f]+\r?$/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:trojan-activity; sid:2007951; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; pcre:"/^Host\x3a\x200x[0-9a-f]+\r?$/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:trojan-activity; sid:2007951; rev:5;)

Added 2015-09-03 19:00:56 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:trojan-activity; sid:2007951; rev:5;)

Added 2011-10-12 19:24:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; sid:2007951; rev:5;)

Added 2011-09-14 22:37:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hex_Domain_Request; sid:2007951; rev:5;)

Added 2011-02-04 17:27:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"|0d 0a|Host\: 0x"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hex_Domain_Request; sid:2007951; rev:2;)

Added 2009-02-08 17:30:24 UTC

FPs on Host: 0xff.akop.org. Can you put a hex encoded IP here??

-- RussellFulton - 08 Apr 2010

Not sure how we could without going pcre. How often are you getting falses there?

-- MattJonkman - 09 Apr 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"|0d 0a|Host\: 0x"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hex_Domain_Request; sid:2007951; rev:2;)

Added 2009-02-08 17:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"|0d 0a|Host\: 0x"; classtype:trojan-activity; sid:2007951; rev:1;)

Added 2008-03-08 21:51:28 UTC


Topic revision: r3 - 2010-04-09 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats