Snort mailing list archives
Re: Asprox sig
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 11 Jul 2013 18:44:30 -0400
On 7/11/2013 16:03, Nick Randolph wrote:
The initial dropper is picked up with sid:20221 but I noticed something interesting when I looked at our samples. It's not obvious in the write up from M86 but the separation between the user-agent header and the host header doesn't have the typical \x0d\x0a it only has \x0a
this is how numerous imposters are found... either the headers are out of order or they have something similar to this... things like this can only be seen in packet inspections... they won't show up by looking at server logs... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Asprox sig James Lay (Jul 09)
- Re: Asprox sig lists () packetmail net (Jul 09)
- Re: Asprox sig James Lay (Jul 09)
- Re: Asprox sig James Lay (Jul 09)
- Re: Asprox sig Joel Esler (Jul 09)
- Re: Asprox sig Nick Randolph (Jul 11)
- Re: Asprox sig waldo kitty (Jul 11)
- Re: Asprox sig James Lay (Jul 09)
- Re: Asprox sig lists () packetmail net (Jul 09)