alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:" MSIE "; http_user_agent; content:!"AskTbARS"; http_header; content:!".passport.net"; http_host; isdataat:!1,relative; content:!".microsoftonline-p.net"; http_host; isdataat:!1,relative; content:!".symantec.com"; http_host; isdataat:!1,relative; content:!".qq.com"; http_host; isdataat:!1,relative; content:!"aocdn.net"; http_host; content:!"kankan.com"; http_host; isdataat:!1,relative; content:!"conf.v.xunlei.com"; http_host; isdataat:!1,relative; http_header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; http_request_line; content:".bin HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2018052; rev:9; metadata:created_at 2014_02_01, updated_at 2020_11_05;)

Added 2020-11-05 18:35:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:" MSIE "; http_user_agent; content:!"AskTbARS"; http_header; content:!".passport.net"; http_host; isdataat:!1,relative; content:!".microsoftonline-p.net"; http_host; isdataat:!1,relative; content:!".symantec.com"; http_host; isdataat:!1,relative; content:!".qq.com"; http_host; isdataat:!1,relative; content:!"aocdn.net"; http_host; content:!"kankan.com"; http_host; isdataat:!1,relative; content:!"conf.v.xunlei.com"; http_host; isdataat:!1,relative; http_header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; http_request_line; content:".bin HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2018052; rev:9; metadata:created_at 2014_02_01, updated_at 2020_03_06;)

Added 2020-03-09 21:02:08 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"conf.v.xunlei.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:8; metadata:created_at 2014_02_01, updated_at 2019_10_07;)

Added 2019-10-08 19:34:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"conf.v.xunlei.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:7; metadata:created_at 2014_02_01, updated_at 2014_02_01;)

Added 2018-09-13 19:48:20 UTC


Added 2018-09-13 17:58:23 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"conf.v.xunlei.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:7; metadata:created_at 2014_02_01, updated_at 2014_02_01;)

Added 2017-08-14 16:19:39 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:6; metadata:created_at 2014_02_01, updated_at 2014_02_01;)

Added 2017-08-07 21:12:05 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:6;)

Added 2015-07-02 17:52:37 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:5;)

Added 2014-10-17 17:26:18 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:4;)

Added 2014-07-22 18:37:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:3;)

Added 2014-02-01 00:47:25 UTC


Topic revision: r1 - 2020-11-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats