#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_uri; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=0398af3218eb6f21195d701a0b001445; classtype:trojan-activity; sid:2012589; rev:4; metadata:created_at 2011_03_28, updated_at 2011_03_28;)

Added 2017-08-07 21:05:45 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_uri; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=0398af3218eb6f21195d701a0b001445; classtype:trojan-activity; sid:2012589; rev:3;)

Added 2011-10-12 19:34:43 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_uri; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; classtype:trojan-activity; reference:url,threatexpert.com/report.aspx?md5=0398af3218eb6f21195d701a0b001445; sid:2012589; rev:3;)

Added 2011-04-12 14:07:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_uri; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; classtype:trojan-activity; reference:url,threatexpert.com/report.aspx?md5=0398af3218eb6f21195d701a0b001445; sid:2012589; rev:2;)

Added 2011-03-28 17:33:32 UTC

There is a "web hit" counting service at http://count.51yes.com/. This signature appears to match the "register a hit" URL for all subscribing sites, and so I'd suggest that it is much too broad. There are additional details in the Threat Expert report that could be used to restrict the match results.

-- MikePelley - 11 Apr 2011

Agreed Mike. This looks to be far too close to the ad traffic. Removing the rule for the time being. Thanks for the report!

-- MattJonkman - 12 Apr 2011


Topic revision: r3 - 2011-04-12 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats