alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; flowbits:set,ET.Tinba.Checkin; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; depth:26; isdataat:!1,relative; http_content_len; byte_test:0,>,99,0,string,dec; http_start; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:6; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2020_11_03;)

Added 2020-11-03 18:44:37 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; flowbits:set,ET.Tinba.Checkin; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; depth:26; isdataat:!1,relative; http_content_len; byte_test:0,>,99,0,string,dec; http_start; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:6; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2020_03_03;)

Added 2020-08-05 19:10:12 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; flowbits:set,ET.Tinba.Checkin; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; depth:26; isdataat:!1,relative; http_content_len; byte_test:0,>,99,0,string,dec; http_start; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; metadata: former_category MALWARE; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:6; metadata:created_at 2014_09_12, updated_at 2020_03_03;)

Added 2020-03-03 18:12:52 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; metadata: former_category MALWARE; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:5; metadata:created_at 2014_09_12, updated_at 2019_10_07;)

Added 2019-10-08 19:34:12 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; metadata: former_category MALWARE; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

Added 2019-09-26 19:57:44 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

Added 2018-09-13 19:49:18 UTC


Added 2018-09-13 17:58:59 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

Added 2017-08-07 21:13:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4;)

Added 2015-01-19 12:55:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4;)

Added 2015-01-16 17:46:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; offset:7; content:"|3a|80|0d 0a|"; http_header; content:"i=%"; depth:3; http_client_body; fast_pattern; content:" MSIE "; http_user_agent; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:2;)

Added 2014-09-12 16:28:33 UTC


Topic revision: r1 - 2020-11-03 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats