[Snort-sigs] Asprox sig

waldo kitty wkitty42 at ...3507...
Thu Jul 11 18:44:30 EDT 2013


On 7/11/2013 16:03, Nick Randolph wrote:
> The initial dropper is picked up with sid:20221 but I noticed something
> interesting when I looked at our samples.
>
> It's not obvious in the write up from M86 but the separation between the
> user-agent header and the host header doesn't have the typical \x0d\x0a it only
> has \x0a

this is how numerous imposters are found... either the headers are out of order 
or they have something similar to this... things like this can only be seen in 
packet inspections... they won't show up by looking at server logs...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-sigs mailing list