[Snort-sigs] Asprox sig
wkitty42 at ...3507...
Thu Jul 11 18:44:30 EDT 2013
On 7/11/2013 16:03, Nick Randolph wrote:
> The initial dropper is picked up with sid:20221 but I noticed something
> interesting when I looked at our samples.
> It's not obvious in the write up from M86 but the separation between the
> user-agent header and the host header doesn't have the typical \x0d\x0a it only
> has \x0a
this is how numerous imposters are found... either the headers are out of order
or they have something similar to this... things like this can only be seen in
packet inspections... they won't show up by looking at server logs...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-sigs