alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<134; content:"="; offset:1; depth:1; http_client_body; content:" MSIE "; fast_pattern; http_user_agent; pcre:"/[\/=][a-z0-9]{8,}$/U"; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http_header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; depth:24; content:!"Accept-"; nocase; content:!"Referer"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:16; metadata:created_at 2014_05_05, updated_at 2019_05_22;)

Added 2019-05-22 20:30:36 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<134; content:"="; offset:1; depth:1; http_client_body; content:" MSIE "; fast_pattern; http_user_agent; pcre:"/[\/=][a-z0-9]{8,}$/U"; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http_header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; depth:24; content:!"Accept-"; nocase; content:!"Referer"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:16; metadata:created_at 2014_05_05, updated_at 2019_05_22;)

Added 2019-05-22 19:32:45 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<134; content:"="; offset:1; depth:1; http_client_body; content:" MSIE "; fast_pattern; http_user_agent; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; content:!"|0d 0a|Accept-"; nocase; http_header; content:!"Referer|3a|"; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:15; metadata:created_at 2014_05_05, updated_at 2014_05_05;)

Added 2018-09-13 19:48:44 UTC


Added 2018-09-13 17:58:39 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<134; content:"="; offset:1; depth:1; http_client_body; content:" MSIE "; fast_pattern; http_user_agent; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; content:!"|0d 0a|Accept-"; nocase; http_header; content:!"Referer|3a|"; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:15; metadata:created_at 2014_05_05, updated_at 2014_05_05;)

Added 2017-08-07 21:12:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<134; content:"="; offset:1; depth:1; http_client_body; content:" MSIE "; fast_pattern; http_user_agent; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; content:!"|0d 0a|Accept-"; nocase; http_header; content:!"Referer|3a|"; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:15;)

Added 2015-11-05 15:55:08 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<134; content:!"|0d 0a|Accept-"; nocase; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" MSIE "; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:13;)

Added 2015-07-20 21:08:52 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<110; content:!"|0d 0a|Accept-"; nocase; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" MSIE "; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:12;)

Added 2015-05-27 18:46:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<90; content:!"|0d 0a|Accept-"; nocase; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" MSIE "; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:11;)

Added 2015-03-31 18:47:29 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<40; content:!"|0d 0a|Accept-"; nocase; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" MSIE "; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:10;)

Added 2015-02-06 10:46:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<25; content:!"|0d 0a|Accept-"; nocase; http_header; pcre:"/^\/[a-z0-9]+$/U"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" MSIE "; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:8;)

Added 2014-05-05 16:47:56 UTC


Topic revision: r1 - 2019-05-23 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats