alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV Download (download.php?id=)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"download.php?id="; pcre:"/download\.php\?id=\d+/U"; classtype:trojan-activity; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010464; rev:2;)

Added 2009-12-16 09:00:47 UTC

disabled -- lots of FPs....

-- RussellFulton - 11 Jan 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV Download (download.php?id=)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"download.php?id="; pcre:"/download\.php\?id=\d+/U"; classtype:trojan-activity; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010464; rev:2;)

Added 2009-12-16 09:00:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV Download (download.php?id=)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"download.php?id="; pcre:"/download\.php\?id=\d+/U"; classtype:trojan-activity; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; sid:2010464; rev:1;)

Added 2009-12-14 10:01:38 UTC


Topic revision: r2 - 2010-01-11 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats