alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; fast_pattern; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:trojan-activity; sid:2014099; rev:6; metadata:created_at 2012_01_04, updated_at 2012_01_04;)

Added 2017-08-07 21:07:25 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; fast_pattern; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:trojan-activity; sid:2014099; rev:6;)

Added 2015-03-20 18:11:37 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; distance:0; content:!".msi"; content:!"This program cannot"; classtype:trojan-activity; sid:2014099; rev:1;)

Added 2012-01-04 18:24:13 UTC

This seems to be a false positive when downloading Sharepoint 2013 from: http://care.dlservice.microsoft.com/dl/download/3/D/7/3D713F30-C316-49B8-9CC0-E1BFC34B63A0/SharePointServer_x64_en-us.img

-- BitmeLancelot - 2015-03-17

We have added a negation to eliminate FP, thanks!

-- TravisGreen - 2015-03-20


Topic revision: r3 - 2015-03-20 - TravisGreen
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats