#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; file_data; content:"http|3a|//"; within:7; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:2;)

Added 2012-08-27 17:29:05 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Clickfraud List Delivered To Client"; flow:established,from_server; file_data; content:"http|3a|//"; within:7; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:1;)

Added 2012-01-23 20:19:06 UTC

False positives on eveonline advertisements:

[request]
GET ///advert/
Connection: close
Accept-Encoding: identity
Host: client.eveonline.com
User-Agent: CCP-minibrowser/3.0
X-HTTP-Version: 1.1

[response]
200 OK
Cache-Control: public, max-age=56
Connection: close
Date: Fri, 24 Aug 2012 15:53:38 GMT
Server: Microsoft-IIS/7.5
Vary: *
Content-Length: 212
Content-Type: text/html; charset=utf-8
Expires: Fri, 24 Aug 2012 15:54:35 GMT
Last-Modified: Fri, 24 Aug 2012 15:53:35 GMT
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 3.0
X-HTTP-Version: 1.1
X-Powered-By: ASP.NET

http://client.eveonline.com:80/track/advertLoad/327|http://client.eveonline.com:80/track/advertClick/327
http://client.eveonline.com:80/track/advertLoad/326|http://client.eveonline.com:80/track/advertClick/326

-- RichGraves - 27 Aug 2012


Topic revision: r3 - 2012-08-27 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats