ARP spoofing을 이용한 악성코드(게임계정탈취) 감염 탐지

alert tcp any any -> any 80 (flow:established, to_server; uricontent:”/images/s.exe”; content:”Host|3a20|www.exinwl.com”; nocase;)
alert tcp any any -> any 80 (flow:established, to_server; uricontent:”/ad/yahoo1.js”; content:”Host|3a20|www.xzjiayuan.com”; nocase;)
alert tcp any any -> any 80 (flow:established, to_server; uricontent:”/js/yahoo.js”; content:”Host|3a20|www.faloge.com”; nocase;)

Advertisements

About this entry