alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; reference:url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading; reference:url,www.sophos.com/security/blog/2008/07/1599.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008077; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm; sid:2008077; rev:17;)

Added 2009-02-06 19:00:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; reference:url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading; reference:url,www.sophos.com/security/blog/2008/07/1599.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008077; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm; sid:2008077; rev:17;)

Added 2009-02-06 19:00:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; reference:url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading; reference:url,www.sophos.com/security/blog/2008/07/1599.html; sid:2008077; rev:16;)

Added 2008-08-04 15:00:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; reference:url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading; reference:url,www.sophos.com/security/blog/2008/07/1599.html; sid:2008077; rev:16;)

Added 2008-08-04 15:00:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/fbi_facebook.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; reference:url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading; reference:url,www.sophos.com/security/blog/2008/07/1599.html; sid:2008077; rev:15;)

Added 2008-07-30 10:00:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/fbi_facebook.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; reference:url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading; reference:url,www.sophos.com/security/blog/2008/07/1599.html; sid:2008077; rev:15;)

Added 2008-07-30 10:00:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/fbi_facebook.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:14;)

Added 2008-07-28 10:00:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/fbi_facebook.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:14;)

Added 2008-07-28 10:00:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:13;)

Added 2008-07-24 11:44:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:13;)

Added 2008-07-24 11:44:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:13;)

Added 2008-07-24 11:43:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:13;)

Added 2008-07-24 11:43:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (amero.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/amero.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:12;)

Added 2008-07-21 11:00:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (amero.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/amero.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:12;)

Added 2008-07-21 11:00:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (form.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/form.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:11;)

Added 2008-07-11 10:00:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (form.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/form.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; sid:2008077; rev:11;)

Added 2008-07-11 10:00:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (form.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/form.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; sid:2008077; rev:10;)

Added 2008-07-08 23:25:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (form.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/form.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; sid:2008077; rev:10;)

Added 2008-07-08 23:25:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (fireworks.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/fireworks.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/119; sid:2008077; rev:9;)

Added 2008-07-04 09:35:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (fireworks.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/fireworks.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/119; sid:2008077; rev:9;)

Added 2008-07-04 09:35:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (winner.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/winner.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/119; sid:2008077; rev:8;)

Added 2008-07-01 14:48:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (winner.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/winner.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/119; sid:2008077; rev:8;)

Added 2008-07-01 14:48:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (beijing.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/beijing.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/119; sid:2008077; rev:7;)

Added 2008-06-20 11:46:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (beijing.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/beijing.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/119; sid:2008077; rev:7;)

Added 2008-06-20 11:46:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe)"; flow:established,to_server; uricontent:"/loveyou.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:6;)

Added 2008-05-19 14:28:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe)"; flow:established,to_server; uricontent:"/loveyou.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:6;)

Added 2008-05-19 14:28:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;)

Added 2008-05-05 13:24:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;)

Added 2008-05-05 13:24:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;)

Added 2008-05-05 13:20:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;)

Added 2008-05-05 13:20:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:www.sudosecure.net/archives/61; sid:2008077; rev:4;)

Added 2008-05-04 23:07:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:www.sudosecure.net/archives/61; sid:2008077; rev:4;)

Added 2008-05-04 23:07:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:www.sudosecure.net/archives/61; sid:2008077; rev:4;)

Added 2008-05-04 23:04:38 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:www.sudosecure.net/archives/61; sid:2008077; rev:4;)

Added 2008-05-04 23:04:38 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (foolsday.exe)"; flow:established,to_server; uricontent:"/foolsday.exe"; nocase; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; sid:2008077; rev:3;)

Added 2008-04-02 08:53:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (foolsday.exe)"; flow:established,to_server; uricontent:"/foolsday.exe"; nocase; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; sid:2008077; rev:3;)

Added 2008-04-02 08:53:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (foolsday.exe)"; flow:established,to_server; uricontent:"/foolsday.exe"; nocase; pcre:"/(\d{2,4}\.?){3}\d{2,4}/foolsday\.exe/Ui"; classtype:trojan-activity; sid:2008077; rev:2;)

Added 2008-04-01 11:35:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (foolsday.exe)"; flow:established,to_server; uricontent:"/foolsday.exe"; nocase; pcre:"/(\d{2,4}\.?){3}\d{2,4}/foolsday\.exe/Ui"; classtype:trojan-activity; sid:2008077; rev:2;)

Added 2008-04-01 11:35:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (foolsday.exe)"; flow:established,to_server; uricontent:"/foolsday.exe"; nocase; classtype:trojan-activity; sid:2008077; rev:1;)

Added 2008-03-31 18:01:49 UTC


Topic revision: r1 - 2009-02-07 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats