alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Checkin"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; http_header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:8; metadata:created_at 2013_10_11, updated_at 2017_06_01;)

Added 2018-09-13 19:47:51 UTC


Added 2018-09-13 17:58:06 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Checkin"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:7; metadata:created_at 2013_10_11, updated_at 2017_06_01;)

Added 2017-08-07 21:11:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Checkin"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:7;)

Added 2017-06-02 16:55:28 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Checkin"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:6;)

Added 2017-06-01 16:43:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoLocker? Ransomware check-in"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:5;)

Added 2014-05-27 18:40:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoLocker? Ransomware check-in"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:4;)

Added 2013-10-18 13:08:20 UTC

False Pos

This page-view of deseretnews.com, a news organization in salt lake city, UT, triggered this rule.

SRC: GET /js/e289fa8b1c9cadd279127a157cd70c9317f86385.js?ver=116 HTTP/1.1 SRC: Host: www.deseretnews.com SRC: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 SRC: Accept: / SRC: Accept-Language: en-US,en;q=0.5 SRC: Accept-Encoding: gzip, deflate SRC: Referer: http://www.deseretnews.com/home/ SRC: Cookie: DPISESSID=de50d9eb6fdaf6779b3717a0ce56acdee34ae1f5; optimizelySegments=%7B%22335304688%22%3A%22direct%22%2C%22335274732%22%3A%22false%22%2C%22335183517%22%3A%22none%22%2C%22335234815%22%3A%22ff%22%7D; optimizelyEndUserId=oeu1393283050040r0.6661312226574605; optimizelyBuckets=%7B%7D; __qca=P0-81048421-1393283051954; __utma=223183748.449348750.1393283052.1393283052.1393283052.1; __utmb=223183748.5.10.1393283052; __utmc=223183748; __utmz=223183748.1393283052.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_cc=true; s_pv=DN%2Fhome%2FIndex; s_sq=%5B%5BB%5D%5D; __vrf=1393283053123HACUyHjqbjOqYzHB17ZShwd6RnsvNXjj; __gads=ID=77f9ed7cd399c342:T=1393283034:S=ALNI_MZtL-pGoTV5pVrMeEJNdSzWBBgacQ; cX_S=hs2cr8x5j3y8rlhw; cX_P=hs2cr8xauk7jm0em; s_ppv=16; _cb_ls=1; _chartbeat2=m5cxw0nc8r3ih1tf.1393283056622.1393284260386.1; _chartbeat_uuniq=2; _cb_cp=irc4xmjh9zmqspie; _chartbeat4=t=irc4xmjh9zmqspie&E=5&x=0&c=4.94&y=5273&w=823 SRC: Connection: keep-alive SRC: Pragma: no-cache SRC: Cache-Control: no-cache

-- JayBee - 2014-02-25


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoLocker? Ransomware check-in"; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:3;)

Added 2013-10-11 19:06:16 UTC


Topic revision: r2 - 2014-02-25 - JayBee
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats