alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:3;)
Added 2008-05-19 10:47:59 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:3;)
Added 2008-05-19 10:47:59 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:2;)
Added 2008-03-18 00:12:47 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:2;)
Added 2008-03-18 00:12:47 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:1;)
Added 2008-03-17 17:46:41 UTC
Like so, very high ports:
GET /g/D93400-406ED5-6200FD HTTP/1.1
Host: 208.72.168.13
X-Flags: 0
X-TM: 32
X-BI: D8CFC1C6CBC7D6C3C4D9DE
X-PH: 0
return:
HTTP/1.1 200 OK
Content-Length: 37593
Content-Type: application/x-zip-compressed
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
Set-Cookie: static-71-119-18-3.lsanca.dsl-w.verizon.net 71.119.18.3
X-SGS: 1 1
X-Powered-By: ASP.NET
X-NST: 6|10|1|60|4|40|3|100|7|300|5|5 10 3 1 1|
Re 533edc69d1a58ce0187630d79f3600bf
--
MattJonkman - 17 Mar 2008