#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus POST Request to CnC? - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:10; metadata:created_at 2011_12_01, updated_at 2011_12_01;)

Added 2017-08-07 21:07:16 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC? - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:11;)

Added 2012-10-29 22:23:49 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC? - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:10;)

Added 2012-04-24 19:36:28 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC? - URL agnostic"; flow:established,to_server; content:"POST"; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:7;)

Added 2012-01-31 01:29:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC? - URL agnostic"; flow:established,to_server; content:"POST"; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:6;)

Added 2012-01-09 22:46:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC? - URL agnostic"; flow:established,to_server; content:"POST"; http_method; content:" HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:3;)

Added 2011-12-01 18:59:19 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats