Rovnix UA sig

[James Lay <jlay () slave-tothe-box net>]

I'm sure there's other things to match as well:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Rovnix UA detected"; content:"User-Agent|3a| FWVersionTestAgent"; 
fast_pattern:only; http_header; metadata:policy balanced-ips drop, 
policy security-ips drop, service http; 
reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; 
classtype:trojan-activity; sid:10000088; rev:1;)

James

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!