alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET"; http_method; content:"C|3a|/WINDOWS/system32/calc.exe"; fast_pattern:only; http_header; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; classtype:attempted-recon; sid:2011028; rev:9;)

Added 2011-10-12 19:31:10 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET"; http_method; content:"C|3a|/WINDOWS/system32/calc.exe"; fast_pattern:only; http_header; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; classtype: attempted-recon; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; sid:2011028; rev:9;)

Added 2011-09-14 22:44:18 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET"; http_method; content:"C|3a|/WINDOWS/system32/calc.exe"; fast_pattern:only; http_header; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; classtype: attempted-recon; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_HZZP; sid:2011028; rev:9;)

Added 2011-02-04 17:30:45 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET "; depth:4; content:"C\:/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_HZZP; classtype: attempted-recon; sid:2011028; rev:4;)

Added 2010-04-14 21:15:58 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET "; depth:4; content:"C\:/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_HZZP; classtype: attempted-recon; sid:2011028; rev:4;)

Added 2010-04-14 21:15:58 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET "; depth:4; content:"C\:/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_HZZP; classtype: attempted-recon; sid:2011028; rev:3;)

Added 2010-04-14 19:45:58 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET "; depth:4; content:"C\:/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_HZZP; classtype: attempted-recon; sid:2011028; rev:3;)

Added 2010-04-14 19:45:58 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET "; depth:4; content:"C\:/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_HZZP; sid:2011028; rev:2;)

Added 2010-04-14 12:15:58 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET "; depth:4; content:"C\:/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_HZZP; sid:2011028; rev:2;)

Added 2010-04-14 12:15:58 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET "; depth:4; content:"C\:/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; sid:2011028; rev:1;)

Added 2010-04-14 11:15:57 UTC


Topic revision: r1 - 2011-10-12 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats