[Snort-sigs] new rules for Kcast ticker

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...2476...
Wed Jul 21 06:04:13 EDT 2004


I have two new rules that catch the Kcast ticker, which is used to monitor Gold and Silver prices.


alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast Ticker"; uricontent:"/pr/agtray.txt"; nocase; classtype: policy-violation; sid:1000000; rev:1;)

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast Ticker"; uricontent:"/pr/autray.txt"; nocase; classtype: policy-violation; sid:1000001; rev:1;)

The tool makes repeated requests, every 10 seconds, to the following URLs. Each request returns 22 bytes of encoded data.

GET http://kcast.kitco.com/pr/autray.txt HTTP/1.0
GET http://kcast.kitco.com/pr/agtray.txt HTTP/1.0

Details:

http://kcast.kitco.com/




More information about the Snort-sigs mailing list