alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:5;)

Added 2011-10-12 19:24:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; sid:2008358; rev:5;)

Added 2011-09-14 22:38:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:5;)

Added 2011-02-04 17:27:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:3;)

Added 2009-07-12 17:00:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:3;)

Added 2009-07-12 17:00:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:2;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:2;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; sid:2008358; rev:1;)

Added 2008-06-30 10:28:32 UTC

sample (uncomfirmed but perfect match for sig):

GET /?bot_id=0&mode=1 HTTP/1.1..User-Agent: imrabot..Host: sys365.3fn.net:2084

-- RussellFulton - 04 Dec 2008


Topic revision: r2 - 2008-12-04 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats