alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SpyEye? HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

Added 2017-08-07 21:05:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SpyEye? HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:4;)

Added 2014-09-12 16:28:30 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye? HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:2;)

Added 2013-06-11 21:40:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye? HTTP Library leaking information to C&C"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:1;)

Added 2011-10-12 19:33:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye? HTTP Library leaking information to C&C"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; classtype:trojan-activity; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; sid:2012279; rev:1;)

Added 2011-02-04 17:32:12 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats