#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttpRequest?.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:4;)

Added 2016-03-11 18:14:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttpRequest?.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:2;)

Added 2012-05-24 17:51:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Thetatic.A Client POST Get CMD"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttpRequest?.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:2;)

Added 2012-05-21 19:00:45 UTC


Topic revision: r1 - 2016-03-11 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats