[Snort-sigs] Adware/Toolbar?

Y M snort at ...3751...
Sun Oct 20 06:12:55 EDT 2013

I was not sure how to categorize this one. I was seeing several http requests (see reference), after some googling, it seems the domain and the downloads from it do not have good reputation. It may be nothing worthy.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBAR toolbar configuration download attempt"; flow:to_server,established; content:"/config/?"; http_uri; content:"&ext="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"&cmp="; distance:0; http_uri; content:"&rand="; distance:0; http_uri; metadata: policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/url/2397c37dc74b54ff7ff76960d6b4a921e914259f125e69d58f0626806eb99718/analysis/1382259349/; classtype:trojan-activity; sid:100075; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131020/ec24fa02/attachment.html>

More information about the Snort-sigs mailing list