alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:10; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

Added 2017-08-07 21:05:13 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:10;)

Added 2015-09-11 18:50:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid "; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; within:20; classtype:trojan-activity; sid:2012136; rev:10;)

Added 2013-06-27 20:56:21 UTC

It looks like there is an extra space at the end of the User-Agent content which might prevent matching.

-- LauroSartori - 2015-09-11


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid "; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; within:20; classtype:trojan-activity; sid:2012136; rev:9;)

Added 2012-03-19 23:39:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid "; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; within:20; http_header; classtype:trojan-activity; sid:2012136; rev:9;)

Added 2011-12-19 18:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET /"; depth:5; content:"|0d 0a|Content-Length|3a| "; within:75; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; classtype:trojan-activity; sid:2012136; rev:6;)

Added 2011-10-19 18:51:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET /"; depth:5; content:"|0d 0a|Content-Length|3a| "; within:75; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0)|0d 0a|"; content:"|01 02 01 01 01 01 02 01|"; within:10; classtype:trojan-activity; sid:2012136; rev:5;)

Added 2011-10-12 19:33:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET /"; depth:5; content:"|0d 0a|Content-Length|3a| "; within:75; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0)|0d 0a|"; content:"|01 02 01 01 01 01 02 01|"; within:10; classtype:trojan-activity; sid:2012136; rev:4;)

Added 2011-02-04 17:32:01 UTC


Topic revision: r2 - 2015-09-11 - LauroSartori
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats