[Snort-sigs] Air Installer PUA

James Lay jlay at ...3266...
Tue Nov 26 17:01:38 EST 2013


On 2013-11-26 14:51, James Lay wrote:
> Meh:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Win32/AirAdInstaller Outbound Traffic"; flow:to_server, established;
> content:"User-Agent: Launcher Get Log Level"; fast_pattern:only;
> content:"|2f|get|2f|log_level|2f 3f|bundle="; http_uri; 
> metadata:policy
> balanced-ips drop, policy security-ips drop, ruleset community, 
> service
> http;
> 
> reference:url,malwr.com/analysis/YWEyNGQ1MGJjYmQ1NDBjODg1NjExNWJkOTYwNjZiZjQ;
>
> classtype:bad-unknown; sid:10000114; rev:1;)
>
> Adware...anyone remember AdAware?  Blast from the past for me :)
>
> James

Missed the http_header...thanks RM!

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 
Win32/AirAdInstaller Outbound Traffic"; flow:to_server, established; 
content:"User-Agent: Launcher Get Log Level"; http_header; 
fast_pattern:only; content:"|2f|get|2f|log_level|2f 3f|bundle="; 
http_uri; metadata:policy balanced-ips drop, policy security-ips drop, 
ruleset community, service http; 
reference:url,malwr.com/analysis/YWEyNGQ1MGJjYmQ1NDBjODg1NjExNWJkOTYwNjZiZjQ; 
classtype:bad-unknown; sid:10000114; rev:1;)

James




More information about the Snort-sigs mailing list