#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 1)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; reference:url,doc.emergingthreats.net/2006910; classtype:trojan-activity; sid:2006910; rev:7;)

Added 2011-10-21 14:50:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flow:established; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; reference:url,doc.emergingthreats.net/2006910; classtype:trojan-activity; sid:2006910; rev:6;)

Added 2011-10-12 19:21:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flow:established; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006910; sid:2006910; rev:6;)

Added 2011-09-14 22:35:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flow:established; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2006910; rev:6;)

Added 2011-02-04 17:25:55 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flow:established; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2006910; rev:6;)

Added 2009-07-29 15:22:55 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flow:established; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2006910; rev:6;)

Added 2009-07-29 15:22:55 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2006910; rev:5;)

Added 2009-02-13 19:15:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2006910; rev:5;)

Added 2009-02-13 19:15:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; sid:2006910; rev:4;)

Added 2008-08-27 11:15:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; sid:2006910; rev:4;)

Added 2008-08-27 11:15:21 UTC


alert tcp any any -> any any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; sid:2006910; rev:3;)

Added 2008-03-09 19:05:29 UTC


alert tcp any any -> any any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; sid:2006910; rev:3;)

Added 2008-03-09 19:05:29 UTC


alert tcp any any -> any any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; flowbits:set,BE.trojan; classtype:trojan-activity; sid:2006910; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp any any -> any any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; flowbits:set,BE.trojan; classtype:trojan-activity; sid:2006910; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; flowbits:set,BE.trojan; classtype:trojan-activity; sid:2006910; rev:1;)

Added 2007-08-10 01:20:19 UTC


Topic revision: r1 - 2011-10-21 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats