|
Written by Matt Jonkman
|
|
Wednesday, 02 January 2008 |
|
A lot of the bots/trojans are using http post type submissions rather than url parameters. This makes it a bit harder for us to write good low load sigs since we can't just rely on the uri preprocessor to keep us in the post header. We will have to move to more of this type of sigs in the future. The risk is we end up applying the sig to an entire binary post, etc. Created by Jeremy Conway with contributions from Steven Adair alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN TROJ_PROX.AFV POST"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:".php"; nocase; content:"=|22|sid|22|"; nocase; content:"=|22|up|22|"; nocase; content:"=|22|wbfl|22|"; nocase; content:"=|22|v|22|"; nocase; content:"=|22|ping|22|"; nocase; content:"=|22|guid|22|"; nocase; content:"=|22|wv|22|"; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; classtype:trojan-activity; sid:2007728 rev:1;) Posted, Thanks Jeremy and Steven!
|
|
Last Updated ( Wednesday, 02 January 2008 )
|
