#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit? Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)

Added 2020-11-23 17:30:13 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit? Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

Added 2020-04-27 19:10:22 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit? Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_22, updated_at 2013_07_22;)

Added 2018-09-13 19:47:19 UTC


Added 2018-09-13 17:57:50 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit? Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_22, updated_at 2013_07_22;)

Added 2017-08-07 21:11:02 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit? Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4;)

Added 2014-08-07 16:56:53 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit? Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:3;)

Added 2013-07-23 22:47:46 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit? Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script><\/body><\/html>$/R"; classtype:trojan-activity; sid:2017168; rev:2;)

Added 2013-07-22 21:31:35 UTC


Topic revision: r1 - 2020-11-23 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats