[Snort-sigs] Generic Gator Client Post rule
daniel uriah clemens
daniel_clemens at ...842...
Tue Jul 8 13:56:38 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"Generic GATOR CLIENT CONNECTION VIA HTTP POST - Gator "; \
A client on your network has somehow had a gator adware/spyware client
installed on its host.
This rule should detect a generic POST request from a Gator client.
Many corporations and individuals view this type of adware/user profile
software a policy violation by their end users. This type of software is
also generally thought of as 'spy-ware' by the way sends data about your
surfing habits to a third party without the direct knowledge of the end
A simple dump of http POST on your network will reveal something
lik the following.
x.1.20.23 - - [ 6/Jun/2003:x:48:16 -0500] "POST http://gs.gator.com/gs_hi
HTTP/1.1" - - "-" "Gator/4.0"
This particular rule looks at the POST , and then the Gator' portion of
windows based operating systems.
A website tricks the end user into loading this software, or this software
can be coupled with other software installing itself silently on your
computer without the end users knowledge.
This signature identifies the posting of arbitrary data to a remote server
without the knowledge of the end user that data is being uploaded or what
data is being uploaded.
Ease of Attack:
The esiest way to clean up this software is to download a copy of
pestpatrol from pestpatrol.com.
To eliviate further installation you should tighten up the security level
on your browser and watch what software you install.
Daniel Uriah Clemens
dan.clemens at ...1661...
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
More information about the Snort-sigs