Nice catch. I'll put that in current events, since the
domain will
probably be gone in a week or so.
Thanks!
Matt
Thierry CHICH wrote:
> Hello,
>
> One existing alert (useragent=mozila/4.0) have
detected this trojan,
> defined at the url given as reference. This rule can be
a more speficic rule
> for this trojan.
>
>
> alert tcp any any -> any any (msg: "LOCAL
TROJ_MESPAM.A";
> flow:to_server,established;
>
pcre:"/^Hostx3A[^rn]*px2Esecondsite1x2Ecom/smi&quo
t;;
> classtype:policy-violation;
>
reference:url,de.trendmicro-europe.com/enterprise/vinfo/ency
clopedia.php?LYstr=VMAINDATA&vNav=3&VName=TROJ_MESPA
M.A;
> sid:200703190959;rev:1;)
>
>
> Thierry.
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs bleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthr
eats.net
--------------------------------------------
PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
