alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:"|0d 0a|Content-Type\: application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; sid:2008367; rev:2;)

Added 2008-07-07 09:38:10 UTC

alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:"|0d 0a|Content-Type\: application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; sid:2008367; rev:2;)

Added 2008-07-07 09:38:10 UTC

alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:"|0d 0a|Content-Type\: application/x-javascript"; content:"|0d 0a|MZ"; within: 15; classtype: trojan-activity; sid:2008367; rev:1;)

Added 2008-07-03 15:30:00 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; depth:4; uricontent:"?mail="; uricontent:"subject=Keylogger"; uricontent:"&body="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)"; nocase; classtype:trojan-activity; sid:2008367; rev:1;)

Added 2008-07-03 15:24:48 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; depth:4; uricontent:"?mail="; uricontent:"subject=Keylogger"; uricontent:"&body="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)"; nocase; classtype:trojan-activity; sid:2008367; rev:1;)

Added 2008-07-03 15:24:48 UTC