#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
Added 2020-08-05 19:05:21 UTC
#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2019-09-26 19:56:13 UTC
#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:39:51 UTC
Added 2018-09-13 17:53:51 UTC
#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-02-07 18:13:53 UTC
alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 21:01:31 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:5;)
Added 2011-10-12 19:24:58 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; sid:2008358; rev:5;)
Added 2011-09-14 22:38:25 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:5;)
Added 2011-02-04 17:27:31 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:3;)
Added 2009-07-12 17:00:36 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:3;)
Added 2009-07-12 17:00:36 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:2;)
Added 2009-02-13 19:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:2;)
Added 2009-02-13 19:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; sid:2008358; rev:1;)
Added 2008-06-30 10:28:32 UTC
sample (uncomfirmed but perfect match for sig):
GET /?bot_id=0&mode=1 HTTP/1.1..User-Agent: imrabot..Host: sys365.3fn.net:2084
--
RussellFulton - 04 Dec 2008