alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; depth:15; fast_pattern; content:".exe"; http_uri; nocase; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W"; metadata: former_category CURRENT_EVENTS; classtype:misc-activity; sid:2022858; rev:3; metadata:created_at 2016_06_03, updated_at 2017_12_01;)

Added 2017-12-01 17:37:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; depth:15; fast_pattern; content:".exe"; http_uri; nocase; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W"; metadata: former_category CURRENT_EVENTS; classtype:misc-activity; sid:2022858; rev:3; metadata:created_at 2016_06_03, updated_at 2017_12_01;)

Added 2017-12-01 16:43:58 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:to_server,established; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:6,20; content:".exe"; http_uri; nocase; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:misc-activity; sid:2022858; rev:2; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

Added 2017-08-07 21:17:51 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:to_server,established; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:6,20; content:".exe"; http_uri; nocase; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:misc-activity; sid:2022858; rev:2;)

Added 2016-06-03 19:19:01 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:to_server,established; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:6,20; content:".exe"; http_uri; nocase; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:misc-activity; sid:2022858; rev:2;)

Added 2016-06-03 19:18:30 UTC


Topic revision: r1 - 2017-12-01 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats