alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; http_header; classtype:trojan-activity; sid:2014359; rev:7;)

Added 2012-07-10 20:34:55 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; http_header; classtype:trojan-activity; sid:2014359; rev:7;)

Added 2012-07-10 01:16:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Protux.B dnswatch check for CnC? IP"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; http_header; classtype:trojan-activity; sid:2014359; rev:6;)

Added 2012-03-12 12:32:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Protux.B dnswatch check for CnC? IP"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; http_header; classtype:trojan-activity; sid:2014359; rev:6;)

Added 2012-03-12 11:53:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Protux.B dnswatch check for CnC? IP"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; within:14; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; within:50; http_header; classtype:trojan-activity; sid:2014359; rev:5;)

Added 2012-03-12 09:53:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Protux.B dnswatch check for CnC? IP"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; within:14; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; within:50; http_header; classtype:trojan-activity; sid:2014359; rev:5;)

Added 2012-03-12 08:48:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Protux.B dnswatch check for CnC? IP"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; content:"WININET 5.0)|0D 0A|"; within:14; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; within:50; http_header; classtype:trojan-activity; sid:2014359; rev:4;)

Added 2012-03-09 16:29:03 UTC


Topic revision: r1 - 2012-07-11 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats