alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; content:!".tealiumiq.com"; http_header; content:!"snackly.co"; http_header; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-09-15 17:04:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; content:!".tealiumiq.com"; http_header; content:!"counter.snackly.co"; http_header; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-28 16:28:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; content:!".tealiumiq.com"; http_header; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:03:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; content:!".tealiumiq.com"; http_header; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:11;)

Added 2016-01-07 21:05:23 UTC

It seems there is false positive on request to hmma.baidu.com

POST /app.gif HTTP/1.1 Content-Type: gzip key: xxx iv: yyy User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; SM-G930F Build/NRD90M) Host: hmma.baidu.com Connection: Keep-Alive Accept-Encoding: gzip Content-Length: 759

-- VadymChakrian - 2017-06-22

This does not appear to be a FP, please see here: hxxps://citizenlab[.]org/2016/02/privacy-security-issues-baidu-browser/

-- DarienH - 2017-06-23


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:9;)

Added 2012-09-06 17:03:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?\.gif HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:8;)

Added 2012-08-31 21:47:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?\.gif HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:8;)

Added 2012-08-31 18:30:04 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".gif"; nocase; http_uri; content:".gif HTTP"; nocase; pcre:"/\.gif$/Ui"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:6;)

Added 2012-03-20 17:59:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".gif"; nocase; http_uri; content:".gif HTTP"; nocase; pcre:"/POST\x20.*\/.+\.gif\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:5;)

Added 2012-03-19 23:39:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST"; http_method; content:".gif"; nocase; http_uri; content:".gif HTTP"; nocase; pcre:"/POST\x20.*\/.+\.gif\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:4;)

Added 2011-10-12 19:28:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST"; http_method; content:".gif"; nocase; http_uri; content:".gif HTTP"; nocase; classtype:trojan-activity; pcre:"/POST\x20.*\/.+\.gif\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010066; sid:2010066; rev:4;)

Added 2011-09-14 22:42:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST"; http_method; content:".gif"; nocase; http_uri; content:".gif HTTP"; nocase; classtype:trojan-activity; pcre:"/POST\x20.*\/.+\.gif\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010066; rev:4;)

Added 2011-02-04 17:29:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".gif"; nocase; content:".gif HTTP"; nocase; classtype:trojan-activity; pcre:"/POST\x20.*\/.+\.gif\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010066; rev:3;)

Added 2009-12-01 14:45:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".gif"; nocase; content:".gif HTTP"; nocase; classtype:trojan-activity; pcre:"/POST\x20.*\/.+\.gif\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010066; rev:3;)

Added 2009-12-01 14:45:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".gif"; content:".gif HTTP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010066; rev:2;)

Added 2009-10-12 20:45:37 UTC

These rules seem to generate considerable false positives. Attaching pcaps.

-- RickChisholm - 14 Oct 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".gif"; content:".gif HTTP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010066; rev:2;)

Added 2009-10-12 20:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (gif)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".gif"; content:".gif HTTP"; classtype:trojan-activity; sid:2010066; rev:1;)

Added 2009-10-09 08:00:42 UTC


Topic revision: r4 - 2017-06-23 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats