alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012041; rev:1;)

Added 2011-10-12 19:33:20 UTC

url, www.sophos.com/security/technical-papers/malware_with_your_mocha.html returns a 404

should be replaced with: url, www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/malware_with_your_mocha.pdf

-- AmandaDeason - 2016-10-02

url,cansecwest.com/slides07/csw07-nazario.pdf returns a 404

should be replaced with: url,cansecwest.com/csw07/csw07-nazario.pdf

-- AmandaDeason - 2016-10-02


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern:only; classtype:bad-unknown; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; sid:2012041; rev:1;)

Added 2011-02-04 17:31:54 UTC


Topic revision: r2 - 2016-10-02 - AmandaDeason
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats