[Snort-sigs] Binet Malware Rules

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...2476...
Fri Aug 6 06:17:02 EDT 2004


Is anyone else using the "Binet" malware rules from BleedingSnort?  If so, I'm trying to debug a possible false positive condition with sid:2000366

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware Binet";
uricontent:"/bi/servlet"; nocase; content:"abetterinternet.com"; nocase; classtype: policy-violation; reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; sid:2000366; rev:3;)

This rule correctly matches HTTP requests like this...

GET http://download.abetterinternet.com/bi/servlet/Banner?d=LOT64106 HTTP/1.0

but it appears that this is not a result of a Binet infection, but a re-direct from a website.  This particular link results in a another re-direct to a page with javascript that tries to download the actual "Binet" malware. Can someone double check the HTML and JavaScript and confirm my conclusions?

The result is that I'm seeing machines that trigger sid:2000366 that end up being clean when we run SpyBot and AdAware.

Thanks! :)




More information about the Snort-sigs mailing list