alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Ponmocup.A Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/space.php"; http_uri; fast_pattern; content:"Accept|3a| */*|0d 0a|Cookie|3a| uid="; offset:25; depth:25; content:"|3b 20|VISITOR="; distance:0; content:"User-Agent|3a| "; distance:0; content:"Host|3a| "; distance:0; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:trojan-activity; sid:2014660; rev:3;)

Added 2012-05-01 20:42:42 UTC


Topic revision: r1 - 2012-05-02 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats