alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 0a|"; content:"|0e|MyCompany Ltd."; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:bad-unknown; sid:2015560; rev:7;)

Added 2016-07-28 20:57:21 UTC


alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock, URLzone, or Gootkit C2)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 0a|"; content:"|0e|MyCompany Ltd."; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:bad-unknown; sid:2015560; rev:6;)

Added 2016-01-29 16:38:38 UTC


alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock or URLzone C2)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 0a|"; content:"|0e|MyCompany Ltd."; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:bad-unknown; sid:2015560; rev:5;)

Added 2015-10-16 12:18:20 UTC


alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 0a|"; content:"|0e|MyCompany Ltd."; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:bad-unknown; sid:2015560; rev:5;)

Added 2014-07-18 09:21:22 UTC


alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany? Ltd) likely Shylock CnC?"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"MyCompany Ltd"; classtype:bad-unknown; sid:2015560; rev:3;)

Added 2013-04-27 00:46:55 UTC


alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany? Ltd) likely Shylock CnC?"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"MyCompany Ltd"; classtype:bad-unknown; sid:2015560; rev:3;)

Added 2013-04-26 18:35:52 UTC


alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate to (MyCompany? Ltd) could be SSL CnC?"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"MyCompany Ltd"; classtype:bad-unknown; sid:2015560; rev:3;)

Added 2012-08-01 20:16:42 UTC


Topic revision: r1 - 2016-07-29 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats