alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat? C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; pcre:"/^[\x01-\x4c]$/R"; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:6; metadata:created_at 2014_03_14, updated_at 2019_06_27;)

Added 2019-06-27 18:10:15 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat? C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:5; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

Added 2018-09-13 19:48:35 UTC


Added 2018-09-13 17:58:32 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat? C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:5; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

Added 2017-12-11 16:55:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat? C2"; flow:established,to_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isnotset,ET.Netwire.HB.1; flowbits:isset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.2; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:3; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

Added 2017-08-07 21:12:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat? C2"; flow:established,to_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isnotset,ET.Netwire.HB.1; flowbits:isset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.2; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:3;)

Added 2014-04-14 19:22:51 UTC



This topic: Main > 2018283
Topic revision: r1 - 2019-06-27 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats