alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:!".doubleclick.net"; http_header; content:!".pingstart.com"; http_header; content:!".colis-logistique.com"; http_header; content:!"android-lrcresource.wps.com"; http_header; content:!"track.package-buddy.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_03_01;)

Added 2017-11-08 16:30:22 UTC

Hi, I'm not sure what happened here, but the above rule seems to be on the wrong page?

-- MartijnEastwood - 2017-11-09


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE 401TRG Perl DDoS? IRCBot File Download"; flow:established,from_server; content:"|6d 79 20 24 70 72 6f 63 65 73 73 20 3d 20 24 72 70 73 5b 72 61 6e 64 20 73 63 61 6c 61 72 20 40 72 70 73 5d 3b|"; gid:4113433437; metadata: former_category ATTACK_RESPONSE; classtype:web-application-attack; sid:2024931; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2017_10_26, malware_family webshell, performance_impact Moderate, updated_at 2017_10_26;)

Added 2017-10-26 16:26:50 UTC

Note: the "gid:4113433437;" is bogus and should be removed.

-- MartijnEastwood - 2017-11-08

Thank you, this should be removed today! Sorry for the inconvenience.

-- DarienH - 2017-11-08


Topic revision: r4 - 2017-11-09 - MartijnEastwood
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats