alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkComet? Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2011_06_21, performance_impact Low, updated_at 2017_04_10;)

Added 2017-08-07 21:06:20 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkComet? Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7;)

Added 2017-05-05 16:58:51 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkComet? Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7;)

Added 2017-05-03 17:35:07 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkComet? Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7;)

Added 2017-04-11 19:59:38 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkComet? Keepalive Inbound"; flow:from_server,established; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:6;)

Added 2016-08-25 16:52:12 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Inbound"; flow:from_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:5;)

Added 2012-09-28 00:08:33 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Inbound"; flow:from_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d+/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:4;)

Added 2012-03-01 14:34:53 UTC


alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Inbound"; flow:from_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d+/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:3;)

Added 2011-11-03 17:33:48 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats