alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm? INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)

Added 2020-11-24 17:54:50 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm? INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2; metadata:created_at 2014_10_14, updated_at 2014_10_14;)

Added 2018-09-13 19:49:30 UTC


Added 2018-09-13 17:59:07 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm? INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2; metadata:created_at 2014_10_14, updated_at 2014_10_14;)

Added 2017-08-07 21:13:39 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm? INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2;)

Added 2014-10-14 20:43:33 UTC


Topic revision: r1 - 2020-11-24 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats