alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Orca RAT URI Struct 2"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/(?: MSIE |rv\x3a11)/Vi"; metadata: former_category CURRENT_EVENTS; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:2; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

Added 2019-09-10 20:12:52 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 2"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/(?: MSIE |rv\x3a11)/Vi"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:2; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

Added 2018-09-13 19:49:36 UTC


Added 2018-09-13 17:59:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 2"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/(?: MSIE |rv\x3a11)/Vi"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:2; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

Added 2017-08-07 21:13:45 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 2"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/(?: MSIE |rv\x3a11)/Vi"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:2;)

Added 2014-10-20 18:04:19 UTC


Topic revision: r1 - 2019-09-11 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats