#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:trojan-activity; sid:2009522; rev:10;)

Added 2012-03-27 00:27:07 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET "; nocase; http_method; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:trojan-activity; sid:2009522; rev:9;)

Added 2012-03-19 23:39:05 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET "; http_method; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:trojan-activity; sid:2009522; rev:8;)

Added 2011-10-12 19:27:37 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; sid:2009522; rev:4;)

Added 2011-09-14 22:40:55 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:4;)

Added 2011-07-20 00:26:25 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:3;)

Added 2011-02-04 17:28:52 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET "; depth:4; uricontent:".gif?"; nocase; uricontent:"t="; nocase; uricontent:"q="; nocase; uricontent:"p="; nocase; uricontent:"pn="; nocase; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:2;)

Added 2009-07-12 17:15:34 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET "; depth:4; uricontent:".gif?"; nocase; uricontent:"t="; nocase; uricontent:"q="; nocase; uricontent:"p="; nocase; uricontent:"pn="; nocase; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:2;)

Added 2009-07-12 17:15:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET "; depth:4; uricontent:".gif?"; nocase; uricontent:"t="; nocase; uricontent:"q="; nocase; uricontent:"p="; nocase; uricontent:"pn="; nocase; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:2;)

Added 2009-07-09 18:45:36 UTC

Looks like false positives for some legit page tagging web analytics like NetTracker? Page Tagging Script. Like in "GET /ntpagetag.gif?js=1&ts=1247242109515..."

-- KevinBranch - 10 Jul 2009

Do you happen to have a full URL available?

-- MattJonkman - 10 Jul 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET "; depth:4; uricontent:".gif?"; nocase; uricontent:"t="; nocase; uricontent:"q="; nocase; uricontent:"p="; nocase; uricontent:"pn="; nocase; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:2;)

Added 2009-07-09 18:45:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET "; depth:4; uricontent:".gif?"; nocase; uricontent:"t="; nocase; uricontent:"q="; nocase; uricontent:"p="; nocase; uricontent:"pn="; nocase; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; sid:2009522; rev:1;)

Added 2009-07-09 13:37:47 UTC


Topic revision: r4 - 2011-01-10 - NlKiw
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats