alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; content:"/search?hl="; http_uri; content:"q="; http_uri; content:"meta="; fast_pattern:only; http_uri; content:"Windows NT 5."; http_user_agent; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/U"; content:!"sogou.com"; http_header; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:5;)

Added 2017-03-20 20:33:41 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; content:"/search?hl="; http_uri; content:"q="; http_uri; content:"meta="; fast_pattern:only; http_uri; content:"Windows NT 5."; http_user_agent; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/U"; content:!"sogou.com"; http_header; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:5;)

Added 2017-03-20 19:16:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; content:"/search?hl="; http_uri; content:"q="; http_uri; content:"meta="; fast_pattern:only; http_uri; pcre:"/meta=(?:id=)?[a-z]+$/U"; content:"Windows NT 5.0"; http_user_agent; content:!"sogou.com"; http_header; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:4;)

Added 2014-08-20 18:16:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; content:"search?hl="; http_uri; content:"&q="; distance:4; http_uri; content:"&meta="; distance:0; fast_pattern; http_uri; content:"&id="; distance:0; http_uri; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:1;)

Added 2013-05-28 21:46:41 UTC


Topic revision: r1 - 2017-03-21 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats