Looking for an IDS alert like: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length: "; nocase; byte_test:8,<,201,0,string,relative; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:5;) IDS rule author = Alex Avery.A.Tarasov
Then trying to get to an urlquery scan with this particular IDS rule flagged and instatntly ,bingo!, blocked by avast! Webshield, that detected scan url- | {gzip} as HTML:JNLP-C[Trj]
So keep your avast! shield protection up online all the time and all of the time,
Damian
