alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC? Beacon 7"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; depth:1; content:"/"; http_uri; distance:0; isdataat:!1,relative; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; byte_test:0,<,80,0,string,dec; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a|Pragma|0d 0a 0d 0a|"; depth:87; isdataat:!1,relative; fast_pattern; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025119; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2017_12_05;)

Added 2017-12-05 16:50:38 UTC


Topic revision: r1 - 2017-12-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats