alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; content:!".pandora.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:15;)

Added 2017-04-06 17:20:38 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:14;)

Added 2015-12-11 18:32:51 UTC

FP for GoTOMyPC?

GoToMyPC? is remote desktop software that allows users to access computers remotely using a web browser. It was developed by ExpertCity? and launched in 1998. Citrix Systems acquired ExpertCity? in 2004 and maintained the GoToMyPC? brand and services. Citrix spun off the GoTo? products, which were acquired by LogMeIn? in early 2017.[2] There are three versions: "Personal", "Pro", and "Corporate".

GET /log?M=14932414&iv=0&body=T%3d2017-03-20+16%3a...................................................................................................data..........................................................b3xEeSITr5JDpLaTI/rpt3L8bc9N+bgKqAW+L................data........== HTTP/1.1

Host: 66.151.158.177

HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 15

S=OK&E=default

Please consider rule modification

Thank you. Regards

-- MaksymParpaley - 2017-03-21


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!"captive.apple.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:13;)

Added 2015-12-08 18:09:33 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:11;)

Added 2012-03-16 17:31:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:10;)

Added 2011-10-12 19:24:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; sid:2008233; rev:10;)

Added 2011-09-14 22:38:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:9;)

Added 2011-02-04 17:27:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/^\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:5;)

Added 2009-04-23 17:00:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/^\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:5;)

Added 2009-04-23 17:00:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; pcre:"/\/rpt\d/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:4;)

Added 2009-02-12 18:21:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; pcre:"/\/rpt\d/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:4;)

Added 2009-02-12 18:21:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; pcre:"/\/rpt\d/"; classtype:trojan-activity; sid:2008233; rev:3;)

Added 2008-09-13 14:30:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; pcre:"/\/rpt\d/"; classtype:trojan-activity; sid:2008233; rev:3;)

Added 2008-09-13 14:30:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; classtype:trojan-activity; sid:2008233; rev:2;)

Added 2008-08-28 09:30:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; classtype:trojan-activity; sid:2008233; rev:2;)

Added 2008-08-28 09:30:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tj/"; uricontent:"d2W0eYCqAE"; nocase; content:!"|0d 0a|User-Agent\: Mozilla"; classtype:trojan-activity; sid:2008233; rev:1;)

Added 2008-05-19 13:14:16 UTC


Topic revision: r2 - 2017-03-21 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats