alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CozyDuke? APT HTTP Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; pcre:"/\.php\?$/U"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:trojan-activity; sid:2020962; rev:2;)

Added 2015-04-22 21:24:29 UTC


Topic revision: r1 - 2015-04-23 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats