##alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"TV"; content:"VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU"; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:6;)

Added 2014-09-10 17:09:11 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:""; base64_decode:bytes 365, offset 0, relative; base64_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode."; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:2;)

Added 2012-10-31 21:16:59 UTC


Topic revision: r1 - 2014-09-10 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats