alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; content:!"upload.wikimedia.org"; http_uri; pcre:"/\.jpg$/U"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:03:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; content:!"upload.wikimedia.org"; http_uri; pcre:"/\.jpg$/U"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:10;)

Added 2015-04-24 18:03:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; fast_pattern:only; pcre:"/\.jpg$/U"; pcre:"/POST\s[^\r\n]+?\.jpg HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:8;)

Added 2012-08-31 21:47:21 UTC

It seams that there are flase positives when the last URL parameter ends with .jpg:

From my LAN to 91.198.174.202:80

POST /beacon/media?duration=2728&uri=http%3A%2F%2Fupload.wikimedia.org%2Fwikipedia%2Fcommons%2Fthumb%2F9%2F9e%2FALMA_COGAN_WITH_ILANA_ROVINA%252C.jpg%2F640px-ALMA_COGAN_WITH_ILANA_ROVINA%252C.jpg HTTP/1.1 Host: bits.wikimedia.org User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://en.wikipedia.org/wiki/Alma_Cogan Origin: http://en.wikipedia.org Cookie: GeoIP?=xxxxxxxxxxxxxxxxxxxxxxxxx Connection: keep-alive Content-Length: 0

-- LandryMINOZA - 2015-04-24

Thanks, we should have an update for this today!

-- DarienH - 2015-04-24


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; fast_pattern:only; pcre:"/\.jpg$/U"; pcre:"/POST\s[^\r\n]+?\.jpg HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:8;)

Added 2012-08-31 18:30:05 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpg"; nocase; http_uri; content:".jpg HTTP"; nocase; pcre:"/\.jpg$/i"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:6;)

Added 2012-03-20 17:59:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpg"; nocase; http_uri; content:".jpg HTTP"; nocase; pcre:"/POST\x20.*\/.+\.jpg\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:5;)

Added 2012-03-19 23:39:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST"; http_method; content:".jpg"; nocase; http_uri; content:".jpg HTTP"; nocase; pcre:"/POST\x20.*\/.+\.jpg\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:4;)

Added 2011-10-12 19:28:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST"; http_method; content:".jpg"; nocase; http_uri; content:".jpg HTTP"; nocase; classtype:trojan-activity; pcre:"/POST\x20.*\/.+\.jpg\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010067; sid:2010067; rev:4;)

Added 2011-09-14 22:42:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST"; http_method; content:".jpg"; nocase; http_uri; content:".jpg HTTP"; nocase; classtype:trojan-activity; pcre:"/POST\x20.*\/.+\.jpg\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010067; rev:4;)

Added 2011-02-04 17:29:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".jpg"; nocase; content:".jpg HTTP"; nocase; classtype:trojan-activity; pcre:"/POST\x20.*\/.+\.jpg\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010067; rev:3;)

Added 2009-12-01 14:45:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".jpg"; nocase; content:".jpg HTTP"; nocase; classtype:trojan-activity; pcre:"/POST\x20.*\/.+\.jpg\x20HTTP\/1\.[0-1]$/i"; reference:url,doc.emergingthreats.net/2010067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010067; rev:3;)

Added 2009-12-01 14:45:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".jpg"; content:".jpg HTTP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010067; rev:2;)

Added 2009-10-12 20:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".jpg"; content:".jpg HTTP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Post_to_image; sid:2010067; rev:2;)

Added 2009-10-12 20:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Data POST to an image file (jpg)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".jpg"; content:".jpg HTTP"; classtype:trojan-activity; sid:2010067; rev:1;)

Added 2009-10-09 08:00:42 UTC


Topic revision: r3 - 2015-04-24 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats