|
Written by Matt Jonkman
|
|
Monday, 05 May 2008 |
|
Seeing how Srizbi has overtaken Storm as most widespread I thought we should have some sigs for the common Srizbi loader url's as we've been doing for Storm. There's been a lot of good feedback on those. Definitely helps tip an admin off to a possible infection, or stop one if you're blocking. The latest spams for Srizbi advertise URL's ending in /My_foto.exe, which ought to be relatively unique. Will just run this till thy move to the next big thing. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)"; flow:established,to_server; uricontent:"/My_foto.exe"; nocase; classtype:trojan-activity; sid:2008188; rev:1;) |
|
|
Written by Matt Jonkman
|
|
Monday, 05 May 2008 |
|
I dropped the April Fools Day Storm sigs from Current Events, replaced with the latest, /load.exe. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;) Thanks to Jeremy at Sudosecure.net for the update! |
|
Last Updated ( Wednesday, 07 May 2008 )
|
|
|
Written by Matt Jonkman
|
|
Monday, 05 May 2008 |
|
New sigs sent in by Adam Pointon of SentinelSecurity.net. One for Paros Proxy, a web app scanner (http://www.parosproxy.org). That's available here: http://doc.emergingthreats.net/2008187 And another for DirBuster, another scanner from OWASP. Sig available here: http://doc.emergingthreats.net/2008186 Good stuff, thanks for sharing Adam! |
|
Last Updated ( Monday, 05 May 2008 )
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 1 - 4 of 48 |
