[Snort-sigs] new rules for Kcast ticker

Matthew Jonkman matt at ...2436...
Wed Jul 21 07:09:01 EDT 2004


They're up on Bleedingsnort.com.  I called them Policy since the app 
doesn't appear to have a malware or adware component, just an annoying 
amount of traffic. :)

Thanks Jonathan

Matt

Miner, Jonathan W (CSC) (US SSA) wrote:

> I have two new rules that catch the Kcast ticker, which is used to monitor Gold and Silver prices.
> 
> 
> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast Ticker"; uricontent:"/pr/agtray.txt"; nocase; classtype: policy-violation; sid:1000000; rev:1;)
> 
> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast Ticker"; uricontent:"/pr/autray.txt"; nocase; classtype: policy-violation; sid:1000001; rev:1;)
> 
> The tool makes repeated requests, every 10 seconds, to the following URLs. Each request returns 22 bytes of encoded data.
> 
> GET http://kcast.kitco.com/pr/autray.txt HTTP/1.0
> GET http://kcast.kitco.com/pr/agtray.txt HTTP/1.0
> 
> Details:
> 
> http://kcast.kitco.com/
> 
> 




More information about the Snort-sigs mailing list