#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Terminal Server Single Character Login possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; metadata: former_category TROJAN; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:2; metadata:created_at 2015_08_14, updated_at 2017_05_11;)

Added 2017-11-01 16:17:52 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Terminal Server Single Character Login possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; metadata: former_category TROJAN; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:2; metadata:created_at 2015_08_14, updated_at 2017_05_11;)

Added 2017-08-07 21:16:20 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Terminal Server Single Character Login possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:2;)

Added 2017-05-12 14:59:44 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Terminal Server Single Character Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:1;)

Added 2015-08-14 18:57:34 UTC


Topic revision: r1 - 2017-11-01 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats