refs: for sids 2007688, 2003183

These sigs catch the post and reply on the same infection.
But only 2007688
has a ref, can we attach the same ref to the second one?

[10:50am dominic] egrep '2007688|2003183'
/etc/snort/bleeding-all.rules 
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
(msg:"BLEEDING-EDGE TROJAN Prg
Trojan Server Reply"; flow:to_client,established;
content:"HTTP"; depth:4;
content:"|0d0a|Hall|3a|"; within:512;
reference:url,ip.securescience.net/advisories/pubMalwareCase
Study.pdf;
classtype:trojan-activity; sid:2003183; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE
TROJAN Prg Trojan HTTP POST";
flow:established,to_server; content:"POST ";
depth:5; uricontent:"/s.php?2=";
uricontent:"&n=";
uricontent:"&v=";
uricontent:"&sp=";
uricontent:"&lcp=";
classtype:trojan-activity;
sid:2007688; rev:1;)

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

Yep, that reference applies....

--jeremy

On Dec 14, 2007 9:56 AM, Reg Quinton <reggersist.uwaterloo.ca> wrote:
> These sigs catch the post and reply on the same
infection. But only 2007688
> has a ref, can we attach the same ref to the second
one?
>
> [10:50am dominic] egrep '2007688|2003183'
/etc/snort/bleeding-all.rules
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
(msg:"BLEEDING-EDGE TROJAN Prg
> Trojan Server Reply"; flow:to_client,established;
content:"HTTP"; depth:4;
> content:"|0d0a|Hall|3a|"; within:512;
>
reference:url,ip.securescience.net/advisories/pubMalwareCase
Study.pdf;
> classtype:trojan-activity; sid:2003183; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE
> TROJAN Prg Trojan HTTP POST";
flow:established,to_server; content:"POST ";
> depth:5; uricontent:"/s.php?2=";
uricontent:"&n=";
uricontent:"&v=";
> uricontent:"&sp=";
uricontent:"&lcp=";
classtype:trojan-activity;
> sid:2007688; rev:1;)
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>



-- 
/jeremy

With yet another email virus spreading across the globe, 41
US states
and six European countries today announced that the act of
creating an
attachment-based computer virus will now be considered a
hate crime
because it intentionally targets stupid people. Like any
other segment
of the population, people of stupidity need protection from
bias.
(SatireWire)
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

Thanks for pointing this out. I added the reference.
Blake

Reg Quinton wrote:
> These sigs catch the post and reply on the same
infection. But only 2007688
> has a ref, can we attach the same ref to the second
one?
>
> [10:50am dominic] egrep '2007688|2003183'
/etc/snort/bleeding-all.rules 
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
(msg:"BLEEDING-EDGE TROJAN Prg
> Trojan Server Reply"; flow:to_client,established;
content:"HTTP"; depth:4;
> content:"|0d0a|Hall|3a|"; within:512;
>
reference:url,ip.securescience.net/advisories/pubMalwareCase
Study.pdf;
> classtype:trojan-activity; sid:2003183; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE
> TROJAN Prg Trojan HTTP POST";
flow:established,to_server; content:"POST ";
> depth:5; uricontent:"/s.php?2=";
uricontent:"&n=";
uricontent:"&v=";
> uricontent:"&sp=";
uricontent:"&lcp=";
classtype:trojan-activity;
> sid:2007688; rev:1;)
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>   

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs