alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ponmocup C2 Post-infection Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; classtype:trojan-activity; sid:2011969; rev:9; metadata:created_at 2010_11_22, updated_at 2010_11_22;)

Added 2017-08-07 21:05:02 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ponmocup C2 Post-infection Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; classtype:trojan-activity; sid:2011969; rev:9;)

Added 2014-09-12 16:28:28 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Post-infection Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; classtype:trojan-activity; sid:2011969; rev:8;)

Added 2011-10-12 19:33:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Post-infection Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; classtype:trojan-activity; sid:2011969; rev:8;)

Added 2011-08-17 22:53:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SEO FAKE AV Win32.Ponmocup Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; content:"|0d 0a|User-Agent|3a 20|Mozilla5.0|20|(Windows|3b 20|U|3b 20|MSIE 8.0|3b 20|Windows NT 6.0|3b 20|en-US)"; classtype:trojan-activity; sid:2011969; rev:6;)

Added 2011-04-07 21:14:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SEO FAKE AV Win32.Ponmocup Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; content:"|0d 0a|User-Agent|3a 20|Mozilla5.0|20|(Windows|3b 20|U|3b 20|MSIE 8.0|3b 20|Windows NT 6.0|3b 20|en-US)"; classtype:trojan-activity; sid:2011969; rev:6;)

Added 2011-04-07 14:49:28 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SEO FAKE AV Win32.Ponmocup Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html/license_[0-9a-fA-F]{756+}/Usi"; content:"|0d 0a|User-Agent|3a 20|Mozilla5.0|20|(Windows|3b 20|U|3b 20|MSIE 8.0|3b 20|Windows NT 6.0|3b 20|en-US)"; classtype:trojan-activity; sid:2011969; rev:4;)

Added 2011-04-06 17:38:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SEO FAKE AV (Checkin)"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html/license_[0-9a-fA-F]{756+}/Usi"; content:"|0d 0a|User-Agent|3a 20|Mozilla5.0|20|(Windows|3b 20|U|3b 20|MSIE 8.0|3b 20|Windows NT 6.0|3b 20|en-US)"; classtype:trojan-activity; sid:2011969; rev:3;)

Added 2011-02-04 17:31:48 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats