alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL?"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; classtype:trojan-activity; sid:2022566; rev:5;)

Added 2017-05-05 16:58:54 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL?"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022566; rev:5;)

Added 2017-05-03 17:35:23 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL?"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; classtype:trojan-activity; sid:2022566; rev:5;)

Added 2017-03-20 19:16:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL?"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; classtype:trojan-activity; sid:2022566; rev:5;)

Added 2017-03-17 17:48:44 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL?"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; classtype:trojan-activity; sid:2022566; rev:4;)

Added 2016-05-10 17:20:08 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL?"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; classtype:trojan-activity; sid:2022566; rev:4;)

Added 2016-05-10 13:42:20 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL?"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022566; rev:3;)

Added 2016-02-25 19:39:23 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL?"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022566; rev:3;)

Added 2016-02-25 17:45:42 UTC


Topic revision: r1 - 2017-05-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats