Re: Air Installer PUA

[James Lay <jlay () slave-tothe-box net>]

On 2013-11-26 14:51, James Lay wrote:
> Meh:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Win32/AirAdInstaller Outbound Traffic"; flow:to_server, established;
> content:"User-Agent: Launcher Get Log Level"; fast_pattern:only;
> content:"|2f|get|2f|log_level|2f 3f|bundle="; http_uri; 
> metadata:policy
> balanced-ips drop, policy security-ips drop, ruleset community, 
> service
> http;
>
> reference:url,malwr.com/analysis/YWEyNGQ1MGJjYmQ1NDBjODg1NjExNWJkOTYwNjZiZjQ;
>
> classtype:bad-unknown; sid:10000114; rev:1;)
>
> Adware...anyone remember AdAware?  Blast from the past for me :)
>
> James

Missed the http_header...thanks RM!

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 
Win32/AirAdInstaller Outbound Traffic"; flow:to_server, established; 
content:"User-Agent: Launcher Get Log Level"; http_header; 
fast_pattern:only; content:"|2f|get|2f|log_level|2f 3f|bundle="; 
http_uri; metadata:policy balanced-ips drop, policy security-ips drop, 
ruleset community, service http; 
reference:url,malwr.com/analysis/YWEyNGQ1MGJjYmQ1NDBjODg1NjExNWJkOTYwNjZiZjQ; 
classtype:bad-unknown; sid:10000114; rev:1;)

James

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!