EmergingThreats> Main Web>2014149 (revision 2)EditAttach

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Clickfraud List Delivered To Client"; flow:established,from_server; file_data; content:"http|3a|//"; within:7; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:1;)

Added 2012-01-23 20:19:06 UTC

False positives on eveonline advertisements:

[request] GET ///advert/ Connection: close Accept-Encoding: identity Host: client.eveonline.com User-Agent: CCP-minibrowser/3.0 X-HTTP-Version: 1.1

[response] 200 OK Cache-Control: public, max-age=56 Connection: close Date: Fri, 24 Aug 2012 15:53:38 GMT Server: Microsoft-IIS/7.5 Vary: * Content-Length: 212 Content-Type: text/html; charset=utf-8 Expires: Fri, 24 Aug 2012 15:54:35 GMT Last-Modified: Fri, 24 Aug 2012 15:53:35 GMT X-AspNet-Version: 4.0.30319 X-AspNetMvc-Version: 3.0 X-HTTP-Version: 1.1 X-Powered-By: ASP.NET

http://client.eveonline.com:80/track/advertLoad/327|http://client.eveonline.com:80/track/advertClick/327 http://client.eveonline.com:80/track/advertLoad/326|http://client.eveonline.com:80/track/advertClick/326

-- RichGraves - 27 Aug 2012


Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2012-08-27 - RichGraves
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats