alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (9)"; flow:established,to_server; uricontent:".cgi?sid="; nocase; uricontent:"&bt="; nocase; uricontent:"&pz="; uricontent:"&rnd="; uricontent:"&tail"; classtype:trojan-activity; sid:2008095; rev:1;)
Added 2008-04-03 13:36:06 UTC
This was dropped. Was hitting on legit ad server requests.
--
MattJonkman - 04 Apr 2008