[Snort-sigs] Comet Cursor Spyware

Matthew Jonkman matt at ...2436...
Fri Jul 16 13:40:07 EDT 2004

Joel Esler has submitted this rule to detect Comet Cursor Spyware:

alert tcp $EXTERNAL_NET 80 and -> $HOME_NET any (msg:"BLEEDING-EDGE 
Comet Cursor spyware detection"; content:"|53 65 72 76 65 72|"; 
content:"|43 6F 6D 65 74|"; reference: 
sid:2000551; rev:1;)

I think I've already got a couple hits on it after running for about 2 
minutes. Nice...

Thanks Joel


More information about the Snort-sigs mailing list