harry.tuttle | 1 Aug 23:15 2012

Re: trojan sig

Ah, you're right. The first several GETs in my pcap did not have it, so I didn't look further.

I wonder how unique "en" by itself is in the Accept-Language header. That might work on its own.

Also, some of the GETs are to just "/", and some of the POSTs are to a URI similar to the one in the GET below.

---- On Wed, 01 Aug 2012 13:35:57 -0700 Joel Esler  wrote ---- 

>The User-Agent isn't always absent. 
> 
>On Aug 1, 2012, at 3:36 PM, harry.tuttle  wrote: 
> 
>> I've got a piece of malware, MD5 cf5df13f8498326f1c6407749b3fe160. Names on VT haven't really
clustered around any particular name yet. 
>> 
>> Its HTTP GETs look pretty unique. Here's a quick rule. More info below. 
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN unknown trojan HTTP GET";
flow:established,to_server; content:"GET"; http_method; nocase; content:"/?"; depth:2;
http_uri; content:"Accept-Language|3a 20|en|0d 0a|"; http_header; content:!"User-Agent|3a|";
http_header; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity;
sid:nnnnnnn; rev:1;) 
>> 
>> 
>> Observed traffic (it does not use the system's proxy if one is configured): 
>> 
>> GET /?xclzve_Yekqw17CIOUaflrx28EJPUaflsy49F HTTP/1.1 
>> Accept: */* 
>> Accept-Language: en 
>> Accept-Encoding: gzip, deflate 
(Continue reading)

Will Metcalf | 2 Aug 01:42 2012
Picon

Re: trojan sig

Based on the number of hits I got from our test data sets I'm guessing
FP's are going to be a problem.with this one.  Anybody have more
examples of these?  Maybe we can find a pattern in the uri?

Regards,

Will

On Wed, Aug 1, 2012 at 4:15 PM, harry.tuttle <harry.tuttle@...> wrote:
> Ah, you're right. The first several GETs in my pcap did not have it, so I didn't look further.
>
> I wonder how unique "en" by itself is in the Accept-Language header. That might work on its own.
>
> Also, some of the GETs are to just "/", and some of the POSTs are to a URI similar to the one in the GET below.
>
>
> ---- On Wed, 01 Aug 2012 13:35:57 -0700 Joel Esler  wrote ----
>
>>The User-Agent isn't always absent.
>>
>>On Aug 1, 2012, at 3:36 PM, harry.tuttle  wrote:
>>
>>> I've got a piece of malware, MD5 cf5df13f8498326f1c6407749b3fe160. Names on VT haven't really
clustered around any particular name yet.
>>>
>>> Its HTTP GETs look pretty unique. Here's a quick rule. More info below.
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN unknown trojan HTTP GET";
flow:established,to_server; content:"GET"; http_method; nocase; content:"/?"; depth:2;
http_uri; content:"Accept-Language|3a 20|en|0d 0a|"; http_header; content:!"User-Agent|3a|";
(Continue reading)

Joel Esler | 2 Aug 04:11 2012

Re: trojan sig

The first part of the uri is static up until the underscore.  

--
Joel Esler
Sent from my iPhone

On Aug 1, 2012, at 7:42 PM, Will Metcalf <william.metcalf@...> wrote:

> Based on the number of hits I got from our test data sets I'm guessing
> FP's are going to be a problem.with this one.  Anybody have more
> examples of these?  Maybe we can find a pattern in the uri?
> 
> Regards,
> 
> Will
> 
> On Wed, Aug 1, 2012 at 4:15 PM, harry.tuttle <harry.tuttle@...> wrote:
>> Ah, you're right. The first several GETs in my pcap did not have it, so I didn't look further.
>> 
>> I wonder how unique "en" by itself is in the Accept-Language header. That might work on its own.
>> 
>> Also, some of the GETs are to just "/", and some of the POSTs are to a URI similar to the one in the GET below.
>> 
>> 
>> ---- On Wed, 01 Aug 2012 13:35:57 -0700 Joel Esler  wrote ----
>> 
>>> The User-Agent isn't always absent.
>>> 
>>> On Aug 1, 2012, at 3:36 PM, harry.tuttle  wrote:
>>> 
(Continue reading)

harry.tuttle | 2 Aug 15:27 2012

Re: trojan sig

Joel, are you looking at sandbox reports for my MD5, or do you have another? I didn't want to assume that was
always static based on my single sample if there was another option. I thought the en by itself might be
fairly unique, but I guess not.

---- On Wed, 01 Aug 2012 19:11:08 -0700 Joel Esler  wrote ---- 

>The first part of the uri is static up until the underscore. 
> 
>-- 
>Joel Esler 
>Sent from my iPhone 
> 
>On Aug 1, 2012, at 7:42 PM, Will Metcalf  wrote: 
> 
>> Based on the number of hits I got from our test data sets I'm guessing 
>> FP's are going to be a problem.with this one. Anybody have more 
>> examples of these? Maybe we can find a pattern in the uri? 
>> 
>> Regards, 
>> 
>> Will 
>> 
>> On Wed, Aug 1, 2012 at 4:15 PM, harry.tuttle  wrote: 
>>> Ah, you're right. The first several GETs in my pcap did not have it, so I didn't look further. 
>>> 
>>> I wonder how unique "en" by itself is in the Accept-Language header. That might work on its own. 
>>> 
>>> Also, some of the GETs are to just "/", and some of the POSTs are to a URI similar to the one in the GET below. 
>>> 
>>> 
(Continue reading)

Joel Esler | 2 Aug 16:12 2012

Re: trojan sig

No, it's not unique.  The only part that is, it looks like, is the URL.

I'm looking at several samples, your MD5 is in there already.

On Aug 2, 2012, at 9:27 AM, "harry.tuttle" <harry.tuttle@...> wrote:

> Joel, are you looking at sandbox reports for my MD5, or do you have another? I didn't want to assume that was
always static based on my single sample if there was another option. I thought the en by itself might be
fairly unique, but I guess not.
> 
> 
> ---- On Wed, 01 Aug 2012 19:11:08 -0700 Joel Esler  wrote ---- 
> 
>> The first part of the uri is static up until the underscore. 
>> 
>> -- 
>> Joel Esler 
>> Sent from my iPhone 
>> 
>> On Aug 1, 2012, at 7:42 PM, Will Metcalf  wrote: 
>> 
>>> Based on the number of hits I got from our test data sets I'm guessing 
>>> FP's are going to be a problem.with this one. Anybody have more 
>>> examples of these? Maybe we can find a pattern in the uri? 
>>> 
>>> Regards, 
>>> 
>>> Will 
>>> 
>>> On Wed, Aug 1, 2012 at 4:15 PM, harry.tuttle  wrote: 
(Continue reading)

harry.tuttle | 2 Aug 16:58 2012

Re: trojan sig

Thanks, Joel.

So then I guess the obvious rule is:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Jorik.Totem.vg
HTTP request"; flow:established,to_server; content:"/?xclzve_"; depth:9; http_uri;
reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:nnnnnnn; rev:1;)

---- On Thu, 02 Aug 2012 07:12:52 -0700 Joel Esler  wrote ---- 

>No, it's not unique. The only part that is, it looks like, is the URL. 
> 
>I'm looking at several samples, your MD5 is in there already. 
> 
>On Aug 2, 2012, at 9:27 AM, "harry.tuttle"  wrote: 
> 
>> Joel, are you looking at sandbox reports for my MD5, or do you have another? I didn't want to assume that was
always static based on my single sample if there was another option. I thought the en by itself might be
fairly unique, but I guess not. 
>> 
>> 
>> ---- On Wed, 01 Aug 2012 19:11:08 -0700 Joel Esler wrote ---- 
>> 
>>> The first part of the uri is static up until the underscore. 
>>> 
>>> -- 
>>> Joel Esler 
>>> Sent from my iPhone 
>>> 
>>> On Aug 1, 2012, at 7:42 PM, Will Metcalf wrote: 
(Continue reading)

Will Metcalf | 3 Aug 05:11 2012

Re: trojan sig

This is in tonight's release. Harry Thanks for the sig. Joel, Thanks for all the input! 


Regards,

Will

On Thu, Aug 2, 2012 at 9:58 AM, harry.tuttle <harry.tuttle-ytc+IHgoah0@public.gmane.org> wrote:
Thanks, Joel.

So then I guess the obvious rule is:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Jorik.Totem.vg HTTP request"; flow:established,to_server; content:"/?xclzve_"; depth:9; http_uri; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:nnnnnnn; rev:1;)


---- On Thu, 02 Aug 2012 07:12:52 -0700 Joel Esler  wrote ----

>No, it's not unique. The only part that is, it looks like, is the URL.
>
>I'm looking at several samples, your MD5 is in there already.
>
>On Aug 2, 2012, at 9:27 AM, "harry.tuttle"  wrote:
>
>> Joel, are you looking at sandbox reports for my MD5, or do you have another? I didn't want to assume that was always static based on my single sample if there was another option. I thought the en by itself might be fairly unique, but I guess not.
>>
>>
>> ---- On Wed, 01 Aug 2012 19:11:08 -0700 Joel Esler wrote ----
>>
>>> The first part of the uri is static up until the underscore.
>>>
>>> --
>>> Joel Esler
>>> Sent from my iPhone
>>>
>>> On Aug 1, 2012, at 7:42 PM, Will Metcalf wrote:
>>>
>>>> Based on the number of hits I got from our test data sets I'm guessing
>>>> FP's are going to be a problem.with this one. Anybody have more
>>>> examples of these? Maybe we can find a pattern in the uri?
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On Wed, Aug 1, 2012 at 4:15 PM, harry.tuttle wrote:
>>>>> Ah, you're right. The first several GETs in my pcap did not have it, so I didn't look further.
>>>>>
>>>>> I wonder how unique "en" by itself is in the Accept-Language header. That might work on its own.
>>>>>
>>>>> Also, some of the GETs are to just "/", and some of the POSTs are to a URI similar to the one in the GET below.
>>>>>
>>>>>
>>>>> ---- On Wed, 01 Aug 2012 13:35:57 -0700 Joel Esler wrote ----
>>>>>
>>>>>> The User-Agent isn't always absent.
>>>>>>
>>>>>> On Aug 1, 2012, at 3:36 PM, harry.tuttle wrote:
>>>>>>
>>>>>>> I've got a piece of malware, MD5 cf5df13f8498326f1c6407749b3fe160. Names on VT haven't really clustered around any particular name yet.
>>>>>>>
>>>>>>> Its HTTP GETs look pretty unique. Here's a quick rule. More info below.
>>>>>>>
>>>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN unknown trojan HTTP GET"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/?"; depth:2; http_uri; content:"Accept-Language|3a 20|en|0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:nnnnnnn; rev:1;)
>>>>>>>
>>>>>>>
>>>>>>> Observed traffic (it does not use the system's proxy if one is configured):
>>>>>>>
>>>>>>> GET /?xclzve_Yekqw17CIOUaflrx28EJPUaflsy49F HTTP/1.1
>>>>>>> Accept: */*
>>>>>>> Accept-Language: en
>>>>>>> Accept-Encoding: gzip, deflate
>>>>>>> Host: accountaxation.com
>>>>>>> Cache-Control: no-cache
>>>>>>>
>>>>>>> POST / HTTP/1.1
>>>>>>> Accept: */*
>>>>>>> Accept-Language: en-us
>>>>>>> Content-Type: application/octet-stream
>>>>>>> Content-Length: 166
>>>>>>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>>>>>>> Host: 0degree.com
>>>>>>> Connection: Keep-Alive
>>>>>>> Cache-Control: no-cache
>>>>>>>
>>>>>>> There is also some SSL traffic, some of which fails as malformed, and some non-smtp traffic to 25/tcp. If I come up with anything else, I'll let you know, and I'd be curious if anyone else has more info.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Harry
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Emerging-sigs mailing list
>>>>>>> Emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
>>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>>
>>>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>>>
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>
>>
>
>

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

<div>
<p>This is in tonight's release. Harry Thanks for the sig. Joel, Thanks for all the input!&nbsp;</p>
<div><br></div>
<div>Regards,</div>
<div><br></div>
<div>Will<br><br><div class="gmail_quote">On Thu, Aug 2, 2012 at 9:58 AM, harry.tuttle <span dir="ltr">&lt;<a href="mailto:harry.tuttle@..." target="_blank">harry.tuttle@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">Thanks, Joel.<br><br>
So then I guess the obvious rule is:<br><br>
alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN <a href="http://Trojan.Win32.Jorik.Totem.vg" target="_blank">Trojan.Win32.Jorik.Totem.vg</a> HTTP request"; flow:established,to_server; content:"/?xclzve_"; depth:9; http_uri; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:nnnnnnn; rev:1;)<br><br><br>
---- On Thu, 02 Aug 2012 07:12:52 -0700 Joel Esler &nbsp;wrote ----<br><div class="im HOEnZb">
<br>
&gt;No, it's not unique. The only part that is, it looks like, is the URL.<br>
&gt;<br>
&gt;I'm looking at several samples, your MD5 is in there already.<br>
&gt;<br>
</div>
<div class="HOEnZb"><div class="h5">&gt;On Aug 2, 2012, at 9:27 AM, "harry.tuttle" &nbsp;wrote:<br>
&gt;<br>
&gt;&gt; Joel, are you looking at sandbox reports for my MD5, or do you have another? I didn't want to assume that was always static based on my single sample if there was another option. I thought the en by itself might be fairly unique, but I guess not.<br>

&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ---- On Wed, 01 Aug 2012 19:11:08 -0700 Joel Esler wrote ----<br>
&gt;&gt;<br>
&gt;&gt;&gt; The first part of the uri is static up until the underscore.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; --<br>
&gt;&gt;&gt; Joel Esler<br>
&gt;&gt;&gt; Sent from my iPhone<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; On Aug 1, 2012, at 7:42 PM, Will Metcalf wrote:<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; Based on the number of hits I got from our test data sets I'm guessing<br>
&gt;&gt;&gt;&gt; FP's are going to be a problem.with this one. Anybody have more<br>
&gt;&gt;&gt;&gt; examples of these? Maybe we can find a pattern in the uri?<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; Regards,<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; Will<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; On Wed, Aug 1, 2012 at 4:15 PM, harry.tuttle wrote:<br>
&gt;&gt;&gt;&gt;&gt; Ah, you're right. The first several GETs in my pcap did not have it, so I didn't look further.<br>
&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt; I wonder how unique "en" by itself is in the Accept-Language header. That might work on its own.<br>
&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt; Also, some of the GETs are to just "/", and some of the POSTs are to a URI similar to the one in the GET below.<br>
&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt; ---- On Wed, 01 Aug 2012 13:35:57 -0700 Joel Esler wrote ----<br>
&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt; The User-Agent isn't always absent.<br>
&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt; On Aug 1, 2012, at 3:36 PM, harry.tuttle wrote:<br>
&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; I've got a piece of malware, MD5 cf5df13f8498326f1c6407749b3fe160. Names on VT haven't really clustered around any particular name yet.<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Its HTTP GETs look pretty unique. Here's a quick rule. More info below.<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN unknown trojan HTTP GET"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/?"; depth:2; http_uri; content:"Accept-Language|3a 20|en|0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:nnnnnnn; rev:1;)<br>

&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Observed traffic (it does not use the system's proxy if one is configured):<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; GET /?xclzve_Yekqw17CIOUaflrx28EJPUaflsy49F HTTP/1.1<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Accept: */*<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Accept-Language: en<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Accept-Encoding: gzip, deflate<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Host: <a href="http://accountaxation.com" target="_blank">accountaxation.com</a><br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Cache-Control: no-cache<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; POST / HTTP/1.1<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Accept: */*<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Accept-Language: en-us<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Content-Type: application/octet-stream<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Content-Length: 166<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Host: <a href="http://0degree.com" target="_blank">0degree.com</a><br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Connection: Keep-Alive<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Cache-Control: no-cache<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; There is also some SSL traffic, some of which fails as malformed, and some non-smtp traffic to 25/tcp. If I come up with anything else, I'll let you know, and I'd be curious if anyone else has more info.<br>

&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Regards,<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Harry<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Emerging-sigs mailing list<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; <a href="mailto:Emerging-sigs@...threats.net">Emerging-sigs@...</a><br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; <a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
&gt;&gt;&gt;&gt;&gt;&gt;&gt; The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!<br>
&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt;&gt;&gt; Emerging-sigs mailing list<br>
&gt;&gt;&gt;&gt;&gt; <a href="mailto:Emerging-sigs@...net">Emerging-sigs@...</a><br>
&gt;&gt;&gt;&gt;&gt; <a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
&gt;&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt;&gt; Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
&gt;&gt;&gt;&gt;&gt; The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!<br>
&gt;&gt;&gt;<br>
&gt;&gt;<br>
&gt;<br>
&gt;<br><br>
_______________________________________________<br>
Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@...">Emerging-sigs <at> lists.emergingthreats.net</a><br><a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!<br>
</div></div>
</blockquote>
</div>
<br>
</div>
</div>

Gmane