[Snort-sigs] new rules for Kcast ticker
matt at ...2436...
Wed Jul 21 07:09:01 EDT 2004
They're up on Bleedingsnort.com. I called them Policy since the app
doesn't appear to have a malware or adware component, just an annoying
amount of traffic. :)
Miner, Jonathan W (CSC) (US SSA) wrote:
> I have two new rules that catch the Kcast ticker, which is used to monitor Gold and Silver prices.
> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast Ticker"; uricontent:"/pr/agtray.txt"; nocase; classtype: policy-violation; sid:1000000; rev:1;)
> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast Ticker"; uricontent:"/pr/autray.txt"; nocase; classtype: policy-violation; sid:1000001; rev:1;)
> The tool makes repeated requests, every 10 seconds, to the following URLs. Each request returns 22 bytes of encoded data.
> GET http://kcast.kitco.com/pr/autray.txt HTTP/1.0
> GET http://kcast.kitco.com/pr/agtray.txt HTTP/1.0
More information about the Snort-sigs