#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; uricontent:"trest1"; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; classtype:trojan-activity; sid:2010596; rev:3;)

Added 2014-10-30 17:27:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; uricontent:"trest1"; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; classtype:trojan-activity; sid:2010596; rev:2;)

Added 2011-10-12 19:30:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; uricontent:"trest1"; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; sid:2010596; rev:2;)

Added 2011-09-14 22:43:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; uricontent:"trest1"; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Trest1; sid:2010596; rev:2;)

Added 2011-02-04 17:30:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"trest1"; nocase; content:"|0d 0a|User-Agent\: "; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Trest1; sid:2010596; rev:2;)

Added 2010-10-01 17:16:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"trest1"; nocase; content:"|0d 0a|User-Agent\: "; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Trest1; sid:2010596; rev:2;)

Added 2010-10-01 17:16:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"trest1"; nocase; content:"|0d 0a|User-Agent\: "; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Trest1; sid:2010596; rev:1;)

Added 2009-12-29 10:00:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"trest1"; nocase; content:"|0d 0a|User-Agent\: "; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Trest1; sid:2010596; rev:1;)

Added 2009-12-29 09:58:49 UTC


Topic revision: r1 - 2014-10-30 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats