EmergingThreats> Main Web>2008233 (2017-03-21, MaksymParpaley) EditAttach

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"Mozilla"; depth:7; http_user_agent; content:!".apple.com"; http_host; isdataat:!1,relative; content:!".pandora.com"; http_host; isdataat:!1,relative; content:!"microsoft.com"; http_host; isdataat:!1,relative; pcre:"/\/rpt\d/U"; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:16; metadata:created_at 2010_07_30, updated_at 2019_09_28;)

Added 2019-10-01 08:28:00 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"Mozilla"; depth:7; http_user_agent; content:!".apple.com"; http_host; isdataat:!1,relative; content:!".pandora.com"; http_host; isdataat:!1,relative; content:!"microsoft.com"; http_host; isdataat:!1,relative; pcre:"/\/rpt\d/U"; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:16; metadata:created_at 2010_07_30, updated_at 2019_09_28;)

Added 2019-10-01 04:22:22 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"Mozilla"; depth:7; http_user_agent; content:!".apple.com"; http_host; isdataat:!1,relative; content:!".pandora.com"; http_host; isdataat:!1,relative; content:!"microsoft.com"; http_host; isdataat:!1,relative; pcre:"/\/rpt\d/U"; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:16; metadata:created_at 2010_07_30, updated_at 2019_02_11;)

Added 2019-09-26 19:56:12 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"Mozilla"; depth:7; http_user_agent; content:!".apple.com"; http_host; isdataat:!1,relative; content:!".pandora.com"; http_host; isdataat:!1,relative; content:!"microsoft.com"; http_host; isdataat:!1,relative; pcre:"/\/rpt\d/U"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:16; metadata:created_at 2010_07_30, updated_at 2019_02_11;)

Added 2019-02-11 17:18:30 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; content:!".pandora.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:15; metadata:created_at 2010_07_30, updated_at 2017_04_06;)

Added 2018-09-13 19:39:44 UTC

Added 2018-09-13 17:53:47 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; content:!".pandora.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:15; metadata:created_at 2010_07_30, updated_at 2017_04_06;)

Added 2017-08-07 21:01:24 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; content:!".pandora.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:15;)

Added 2017-05-05 16:58:50 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; content:!".pandora.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:15;)

Added 2017-05-03 17:35:06 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; content:!".pandora.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:15;)

Added 2017-04-06 17:20:38 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:14;)

Added 2015-12-11 18:32:51 UTC

FP for GoTOMyPC?

GoToMyPC? is remote desktop software that allows users to access computers remotely using a web browser. It was developed by ExpertCity? and launched in 1998. Citrix Systems acquired ExpertCity? in 2004 and maintained the GoToMyPC? brand and services. Citrix spun off the GoTo? products, which were acquired by LogMeIn? in early 2017.[2] There are three versions: "Personal", "Pro", and "Corporate".

GET /log?M=14932414&iv=0&body=T%3d2017-03-20+16%3a...................................................................................................data..........................................................b3xEeSITr5JDpLaTI/rpt3L8bc9N+bgKqAW+L................data........== HTTP/1.1

Host: 66.151.158.177

HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 15

S=OK&E=default

Please consider rule modification

Thank you. Regards

-- MaksymParpaley - 2017-03-21

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!"captive.apple.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:13;)

Added 2015-12-08 18:09:33 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:11;)

Added 2012-03-16 17:31:45 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:10;)

Added 2011-10-12 19:24:42 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; sid:2008233; rev:10;)

Added 2011-09-14 22:38:10 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:9;)

Added 2011-02-04 17:27:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/^\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:5;)

Added 2009-04-23 17:00:35 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/^\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:5;)

Added 2009-04-23 17:00:35 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; pcre:"/\/rpt\d/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:4;)

Added 2009-02-12 18:21:16 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; pcre:"/\/rpt\d/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:4;)

Added 2009-02-12 18:21:16 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; pcre:"/\/rpt\d/"; classtype:trojan-activity; sid:2008233; rev:3;)

Added 2008-09-13 14:30:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; pcre:"/\/rpt\d/"; classtype:trojan-activity; sid:2008233; rev:3;)

Added 2008-09-13 14:30:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; classtype:trojan-activity; sid:2008233; rev:2;)

Added 2008-08-28 09:30:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"User-Agent\: Mozilla"; classtype:trojan-activity; sid:2008233; rev:2;)

Added 2008-08-28 09:30:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tj/"; uricontent:"d2W0eYCqAE"; nocase; content:!"|0d 0a|User-Agent\: Mozilla"; classtype:trojan-activity; sid:2008233; rev:1;)

Added 2008-05-19 13:14:16 UTC

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2017-03-21 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats