#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC?)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; metadata: former_category MALWARE; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022488; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_04, updated_at 2016_07_01;)

Added 2020-02-26 20:42:19 UTC


alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC?)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; metadata: former_category MALWARE; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022488; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_04, updated_at 2016_07_01;)

Added 2019-09-19 19:26:35 UTC


alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC?)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022488; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_04, updated_at 2016_07_01;)

Added 2017-08-07 21:17:23 UTC


alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC?)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022488; rev:3;)

Added 2016-02-17 17:35:26 UTC


alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|gfapuxkfzsddekagqyvtibckx.org"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022488; rev:2;)

Added 2016-02-04 17:26:34 UTC


Topic revision: r1 - 2020-02-27 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats