alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:to_server,established; content:".php?adv=adv"; http_uri; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; distance:0; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]+\)ver\d+\r?$/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:03:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:to_server,established; content:".php?adv=adv"; http_uri; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; distance:0; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]+\)ver\d+\r?$/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:6;)

Added 2012-08-24 18:30:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; content:".php?adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:5;)

Added 2012-06-22 00:48:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; content:".php?adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:4;)

Added 2011-10-12 19:29:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; content:".php?adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; sid:2010165; rev:4;)

Added 2011-09-14 22:42:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; content:".php?adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs; sid:2010165; rev:4;)

Added 2011-02-04 17:29:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; uricontent:".php?adv="; nocase; uricontent:"&code1="; nocase; uricontent:"&code2="; nocase; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs; sid:2010165; rev:3;)

Added 2009-11-02 20:30:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; uricontent:".php?adv="; nocase; uricontent:"&code1="; nocase; uricontent:"&code2="; nocase; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs; sid:2010165; rev:3;)

Added 2009-11-02 20:30:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; uricontent:".php?adv="; nocase; uricontent:"&code1="; nocase; uricontent:"&code2="; nocase; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs; sid:2010165; rev:3;)

Added 2009-11-02 20:26:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; uricontent:".php?adv="; nocase; uricontent:"&code1="; nocase; uricontent:"&code2="; nocase; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs; sid:2010165; rev:3;)

Added 2009-11-02 20:26:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; uricontent:".php?adv="; nocase; uricontent:"&code1="; nocase; uricontent:"&code2="; nocase; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; sid:2010165; rev:2;)

Added 2009-10-27 14:45:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; uricontent:".php?adv="; nocase; uricontent:"&code1="; nocase; uricontent:"&code2="; nocase; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; sid:2010165; rev:2;)

Added 2009-10-27 14:45:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; uricontent:".php?adv="; nocase; uricontent:"&code1="; nocase; uricontent:"&code2="; nocase; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=\d+&p=\d+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; sid:2010165; rev:1;)

Added 2009-10-27 14:00:39 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats