alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader Sending Mac Adress"; flow:established,to_server; content:"GET "; depth:4; uricontent:"x="; nocase; uricontent:"&y="; nocase; uricontent:"&z="; nocase; pcre:"/[0-9A-Fa-f]{6}/Ui"; reference:url,doc.emergingthreats.net/20010631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:20010631; rev:2;)
Added 2010-01-07 16:45:42 UTC
This one falses on geolocation traffic:
9:05:09.839393 IP 172.17.12.29.2045 > 174.129.246.93.80: P 4171586717:4171587368(651) ack 4008472241 win 65535
0x0000: 4500 02b3 0ad1 4000 8006 9066 ac11 0c1d E.....@....f....
0x0010: ae81 f65d 07fd 0050 f8a5 5c9d eeec 6eb1 ...]...P..\...n.
0x0020: 5018 ffff e9f2 0000 4745 5420 2f73 7477 P.......GET./stw
0x0030: 2f73 7477 6765 7461 642f 6765 7461 6432 /stwgetad/getad2
0x0040: 3f70 7562 6c69 7368 6572 3d35 3438 2678 ?publisher=548&x
0x0050: 3d31 3331 3026 793d 3331 3636 267a 3d31 =1310&y=3166&z=1
0x0060: 3326 6164 5f73 697a 6573 3d5b 5d26 7075 3&ad_sizes=[]&pu
0x0070: 7368 7069 6e73 3d7b 2264 6566 6175 6c74 shpins={"default
0x0080: 223a 6661 6c73 657d 2672 6571 6964 3d31 ":false}&reqid=1
0x0090: 266c 6174 3d33 372e 3736 3033 3938 3838 &lat=37.76039888
0x00a0: 3732 3532 3133 266c 6f6e 3d2d 3132 322e 725213&lon=-122.
0x00b0: 3430 3039 3939 3036 3932 3133 3838 2661 40099906921388&a
0x00c0: 7069 5f76 6572 3d31 3030 3030 3030 2672 pi_ver=1000000&r
0x00d0: 616e 643d 302e 3731 3132 3331 3636 3930 and=0.7112316690
0x00e0: 3834 3934 3134 2620 4854 5450 2f31 2e31 849414&.HTTP/1.1
0x00f0: 0d0a 4163 6365 7074 3a20 2a2f 2a0d 0a52 ..Accept:.*/*..R
0x0100: 6566 6572 6572 3a20 6874 7470 3a2f 2f72 eferer:.http://r
0x0110: 6561 6c65 7374 6174 652e 7366 6761 7465 ealestate.sfgate
0x0120: 2e63 6f6d 2f68 6f6d 6573 2f50 4f54 5245 .com/homes/POTRE
0x0130: 524f 2d53 414e 2d46 5241 4e43 4953 434f RO-SAN-FRANCISCO
0x0140: 2d43 412d 5553 410d 0a41 6363 6570 742d -CA-USA..Accept-
--
JackPepper - 08 Jan 2010