alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/U"; content:"Windows NT"; http_user_agent; flowbits:set,ET.Vawtrak; classtype:trojan-activity; sid:2019457; rev:13; metadata:created_at 2014_10_17, updated_at 2020_05_19;)

Added 2020-05-19 18:33:33 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/U"; content:"Windows NT"; http_user_agent; flowbits:set,ET.Vawtrak; classtype:trojan-activity; sid:2019457; rev:13; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

Added 2018-09-13 19:49:35 UTC


Added 2018-09-13 17:59:09 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/U"; content:"Windows NT"; http_user_agent; flowbits:set,ET.Vawtrak; classtype:trojan-activity; sid:2019457; rev:13; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

Added 2017-08-07 21:13:43 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/U"; content:"Windows NT"; http_user_agent; flowbits:set,ET.Vawtrak; classtype:trojan-activity; sid:2019457; rev:13;)

Added 2015-03-26 19:37:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server;content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/U"; content:"Windows NT"; http_user_agent; flowbits:set,ET.Vawtrak; classtype:trojan-activity; sid:2019457; rev:12;)

Added 2015-03-04 20:19:01 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/U"; pcre:"/^User-Agent\x3a[^r\n]+?(?:MSIE|rv\x3a11)/Hmi"; flowbits:set,ET.Vawtrak; classtype:trojan-activity; sid:2019457; rev:10;)

Added 2014-12-08 17:52:20 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}\/[a-fA-F0-9]{8}\?\w+=[a-fA-F0-9]+$/U"; classtype:trojan-activity; sid:2019457; rev:6;)

Added 2014-10-24 16:52:20 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}\/[a-fA-F0-9]{8}\?\w+=[a-fA-F0-9]+$/U"; classtype:trojan-activity; sid:2019457; rev:5;)

Added 2014-10-17 17:26:19 UTC


Topic revision: r1 - 2020-05-19 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats