alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; content:"User-Agent|3a| chrome/9.0"; http_header; pcre:"/(?:1|2)\.(?:p(?:hp|ng)|jpe?g|cgi|gif)\?sv=\d{2,3}&tq=/Ui"; classtype:trojan-activity; sid:2013795; rev:9;)

Added 2014-01-15 15:32:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; pcre:"/\.[a-z]+?\?sv=\d+?&tq=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:$|&)/Ui"; classtype:trojan-activity; sid:2013795; rev:8;)

Added 2014-01-13 17:55:33 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; content:"User-Agent|3A 20|chrome/9.0|0D 0A|"; http_header; pcre:"/\x2e(png|gif|jpeg|jpg)\x3fsv\x3d/U"; classtype:trojan-activity; sid:2013795; rev:5;)

Added 2012-01-30 23:37:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot/Suspicious User-Agent (chrome/9.0)"; flow:established,to_server; content:"User-Agent|3A 20|chrome/9.0|0D 0A|"; http_header; classtype:trojan-activity; sid:2013795; rev:2;)

Added 2011-11-07 19:34:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bifrose User-Agent (chrome/9.0)"; flow:established,to_server; content:"User-Agent|3A 20|chrome/9.0|0D 0A|"; http_header; classtype:trojan-activity; sid:2013795; rev:1;)

Added 2011-10-24 14:48:54 UTC


Topic revision: r1 - 2014-01-15 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats