Re: Asprox sig

[waldo kitty <wkitty42 () windstream net>]

On 7/11/2013 16:03, Nick Randolph wrote:
> The initial dropper is picked up with sid:20221 but I noticed something
> interesting when I looked at our samples.
>
> It's not obvious in the write up from M86 but the separation between the
> user-agent header and the host header doesn't have the typical \x0d\x0a it only
> has \x0a

this is how numerous imposters are found... either the headers are out of order 
or they have something similar to this... things like this can only be seen in 
packet inspections... they won't show up by looking at server logs...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!