[Snort-sigs] Ginwin improvments?

Joe thanks!!

So we could write a follow up rule like:
alert tcp $HOME_NET -> $EXTERNAL_NET 80 (msg:"GINWIN Virus Post
attempt"; flow:to_server,stateless; content:"POST|20 2f
20|HTTP|2f|1|2e|1"; depth:15; content:"Host|3a|"; within:3; depth:5;
content:"scfzf.xicp.net"; distance:1; depth:14; sid:91919191; rev:1;)

And a second rule could be written to be similiar.  Again, until (or
if VRT) puts one out, this may suffice.
I didn't used "established" in the flow because according to the pcap,
no session is established, would need further research to determine.

There may not be a good way to detect this before to infection..  IDS != AV





> On Friday 26 May 2006 08:47, Ureleet Ureleet wrote:
> > > I do not have a pcap for it.  This was a preemptive signature based
> > > off of the virus info.  Please not to write me asking for pcap
> > > anymore.  If I had one, it would be given to the people at VRT.
>
> Here's a (sandnet-collected, so the IPs are not real) pcap of the DNS
> request and the initial HTTP post to one of the two hosts.
>
> -Joe

> -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs