[Snort-sigs] sig-id 1:26848:3
wkitty42 at ...3507...
Fri Oct 31 14:08:02 EDT 2014
On 10/30/2014 8:13 PM, Oscar A wrote:
> Can someone helpme about this signature, what does it match and why?
in the rules i looked at (220.127.116.11 IIRC) this rule is disabled by default but you
can read the rule to see what it is looking at...
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE
Microsoft Internet Explorer 7 emulation via meta tag";
flow:to_client,established; file_data; content:"<meta ";
content:"content=|22|IE=EmulateIE7|22|"; within:200; metadata:service ftp-data,
service http, service imap, service pop3; classtype:attempted-user; sid:26848;
the first thing is that it is looking for the string "<meta " and then another
string of "content=|22|IE=EmulateIE7|22|"... the "|22|" parts are the double
quote character (")... the rule is looking for these in ftp, http, imap and pop3
the above rule may be triggered as part of MAGNITUDE EK infestation traffic as
noted at this URL... http://malware-traffic-analysis.net/2014/09/10/index.html
the above link was the 4th one in this google search...
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-sigs