Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Openadvertising.com Malware Campaign malicious jar sigs

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 18 Jun 2013 16:47:17 -0600
Again, slowish day:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign 
URI request 1"; flow:to_server,established; 
content:"|2f|.cache|2f||3f|f=site.jar&k=&h="; http_uri; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; 
classtype:trojan-activity; sid:10000078; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign 
URI request 2"; flow:to_server,established; 
content:"|2f|.cache|2f||3f|f=atom.jar&k=&h="; http_uri; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; 
classtype:trojan-activity; sid:10000079; rev:1;)

James

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: