#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:7; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)

Added 2021-06-23 19:31:50 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:7; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2020_09_25;)

Added 2020-09-25 19:29:44 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:7; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2019_10_07;)

Added 2020-08-05 19:08:50 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2016405; rev:7; metadata:created_at 2013_02_12, updated_at 2019_10_07;)

Added 2019-10-08 19:34:09 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2016405; rev:7; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

Added 2019-09-26 19:57:19 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:7; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

Added 2018-09-13 19:46:22 UTC


Added 2018-09-13 17:57:19 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:7; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

Added 2017-08-07 21:10:07 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:7;)

Added 2014-09-10 17:09:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:5;)

Added 2013-04-08 22:12:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:"/w"; http_uri; depth:2; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:3;)

Added 2013-03-28 23:46:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:"/w"; http_uri; depth:2; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:3;)

Added 2013-03-28 18:53:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK? - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:"/world/"; http_uri; depth:7; content:".pdf"; nocase; http_uri; pcre:"/\/world\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:1;)

Added 2013-02-12 18:34:24 UTC


Topic revision: r1 - 2021-06-23 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats