[Snort-sigs] Air Installer PUA

James Lay jlay at ...3266...
Tue Nov 26 16:51:38 EST 2013


Meh:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 
Win32/AirAdInstaller Outbound Traffic"; flow:to_server, established; 
content:"User-Agent: Launcher Get Log Level"; fast_pattern:only; 
content:"|2f|get|2f|log_level|2f 3f|bundle="; http_uri; metadata:policy 
balanced-ips drop, policy security-ips drop, ruleset community, service 
http; 
reference:url,malwr.com/analysis/YWEyNGQ1MGJjYmQ1NDBjODg1NjExNWJkOTYwNjZiZjQ; 
classtype:bad-unknown; sid:10000114; rev:1;)

Adware...anyone remember AdAware?  Blast from the past for me :)

James




More information about the Snort-sigs mailing list