alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Ponmocup.A Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/space.php"; http_uri; fast_pattern; content:"Accept|3a| */*|0d 0a|Cookie|3a|"; depth:25; http_raw_header; content:"User-Agent|3a| "; http_raw_header; distance:0; content:"Host|3a| "; http_raw_header; distance:0; content:"uid="; depth:4; http_cookie; content:"|3b 20|VISITOR="; distance:0; http_cookie; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:trojan-activity; sid:2014660; rev:4; metadata:created_at 2012_05_01, updated_at 2012_05_01;)

Added 2017-08-07 21:08:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Ponmocup.A Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/space.php"; http_uri; fast_pattern; content:"Accept|3a| */*|0d 0a|Cookie|3a| uid="; offset:25; depth:25; content:"|3b 20|VISITOR="; distance:0; content:"User-Agent|3a| "; distance:0; content:"Host|3a| "; distance:0; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:trojan-activity; sid:2014660; rev:3;)

Added 2012-05-01 20:42:42 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats