alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV?.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"GET"; http_method; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern:only; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"pandora.com"; http_header; content:!"wordpress.com"; http_header; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:5; metadata:created_at 2012_03_21, updated_at 2012_03_21;)

Added 2017-08-07 21:07:48 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV?.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"GET"; http_method; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern:only; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"pandora.com"; http_header; content:!"wordpress.com"; http_header; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:5;)

Added 2014-07-10 18:16:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV?.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; content:!"&"; http_uri; content:!"."; http_uri; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:5;)

Added 2012-06-15 00:50:33 UTC

have noticed false positives on this for Pandora traffic and occasionally to wordpress.com. Recommending the following revision:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV??.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; content:!"&"; http_uri; content:!"."; http_uri; content:!"Host:www.pandora.com"; content:!"Host:www.wordpress.com"reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:6;)

-- MichaelMenefee - 2014-07-10

Thanks we will post an update for this today!

-- DarienH - 2014-07-10


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alureon Primary CnC? Checkin"; flow:established,to_server; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; content:!"&"; http_uri; classtype:trojan-activity; sid:2014409; rev:4;)

Added 2012-03-21 18:10:08 UTC


Topic revision: r3 - 2014-07-10 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats