#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9; metadata:created_at 2010_09_28, updated_at 2016_12_19;)

Added 2017-08-07 21:04:28 UTC


#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9;)

Added 2016-12-19 21:04:00 UTC


#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9;)

Added 2016-12-19 21:00:11 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:8;)

Added 2015-08-10 20:21:43 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; sid:2011295; rev:7;)

Added 2012-08-08 23:16:23 UTC

This seems to be a false positive. I have communication of a Apple Mac OSX device triggering this rule on port 7607 UDP, which is Apple Quicktime

-- TorgeSzczepanek - 2014-07-07

Does this trigger often? Could you possibly attach a pcap of this occurring or share it with me by e-mailing it to dhuss at emergingthreats dot net ?

-- DarienH - 2014-07-07


alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:5;)

Added 2011-10-12 19:31:45 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; flowbits:noalert; sid:2011295; rev:5;)

Added 2011-05-23 18:40:23 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; flowbits:noalert; sid:2011295; rev:5;)

Added 2011-05-23 18:25:47 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; flowbits:noalert; sid:2011295; rev:4;)

Added 2011-05-07 08:31:48 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:noalert; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; sid:2011295; rev:2;)

Added 2011-02-04 17:31:06 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; flowbits:noalert; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa; sid:2011295; rev:2;)

Added 2010-08-04 13:16:03 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; flowbits:noalert; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa; sid:2011295; rev:2;)

Added 2010-08-04 13:16:03 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|0000|"; distance:18; flowbits:noalert; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; sid:2011295; rev:1;)

Added 2010-08-03 17:24:30 UTC


Topic revision: r3 - 2014-07-07 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats