alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Locky JS Downloading Payload"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; fast_pattern; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; flowbits:set,ET.Locky; flowbits:noalert; metadata: former_category TROJAN; reference:md5,c6896184db5c07ebadf40115138b2f4c; reference:md5,cb8f78317622f8ae855ac25ef4cf3688; classtype:trojan-activity; sid:2026460; rev:3; metadata:created_at 2016_03_16, updated_at 2018_10_09;)

Added 2018-10-09 18:08:44 UTC


Topic revision: r1 - 2018-10-09 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats