alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; metadata: former_category MALWARE; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:5; metadata:created_at 2014_09_12, updated_at 2019_10_07;)

Added 2019-10-08 19:34:12 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; metadata: former_category MALWARE; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

Added 2019-09-26 19:57:44 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

Added 2018-09-13 19:49:18 UTC


Added 2018-09-13 17:58:59 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

Added 2017-08-07 21:13:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4;)

Added 2015-01-19 12:55:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4;)

Added 2015-01-16 17:46:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; offset:7; content:"|3a|80|0d 0a|"; http_header; content:"i=%"; depth:3; http_client_body; fast_pattern; content:" MSIE "; http_user_agent; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:2;)

Added 2014-09-12 16:28:33 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats