#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; reference:url,doc.emergingthreats.net/2008675; classtype:trojan-activity; sid:2008675; rev:5;)

Added 2014-08-26 19:07:49 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; reference:url,doc.emergingthreats.net/2008675; classtype:trojan-activity; sid:2008675; rev:4;)

Added 2011-10-12 19:25:36 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; sid:2008675; rev:4;)

Added 2011-09-14 22:39:04 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008675; rev:4;)

Added 2011-02-04 17:27:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008675; rev:4;)

Added 2010-06-09 20:41:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008675; rev:4;)

Added 2010-06-09 20:41:07 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008675; rev:3;)

Added 2009-02-12 18:21:13 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008675; rev:3;)

Added 2009-02-12 18:21:13 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; sid:2008675; rev:2;)

Added 2008-11-11 09:30:22 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; sid:2008675; rev:2;)

Added 2008-11-11 09:30:22 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 90:100 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; dsize:<75; content:"11000351|5e 2a|"; depth:10; flowbits:isnotset,ET.assassin.start; flowbits:noalert; flowbits:set,ET.assassin.start; classtype:trojan-activity; sid:2008675; rev:1;)

Added 2008-10-17 17:15:23 UTC

See BackdoorWin32Assasin

-- MattJonkman - 17 Oct 2008


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 90:100 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; dsize:<75; content:"11000351|5e 2a|"; depth:10; flowbits:isnotset,ET.assassin.start; flowbits:noalert; flowbits:set,ET.assassin.start; classtype:trojan-activity; sid:2008675; rev:1;)

Added 2008-10-17 17:14:46 UTC


Topic revision: r2 - 2008-10-17 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats