alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern; content:!"Referer"; http_header; content:"Windows NT"; http_user_agent; content:!"&adurl="; http_uri; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; metadata: former_category MALWARE; classtype:trojan-activity; sid:2019545; rev:1237; metadata:created_at 2014_10_28, updated_at 2019_10_07;)

Added 2019-10-08 19:34:14 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"Windows NT"; http_user_agent; content:!"&adurl="; http_uri; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; metadata: former_category MALWARE; classtype:trojan-activity; sid:2019545; rev:1236; metadata:created_at 2014_10_28, updated_at 2016_09_20;)

Added 2019-09-26 19:57:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"Windows NT"; http_user_agent; content:!"&adurl="; http_uri; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; classtype:trojan-activity; sid:2019545; rev:1236; metadata:created_at 2014_10_28, updated_at 2016_09_20;)

Added 2018-09-13 19:49:38 UTC


Added 2018-09-13 17:59:12 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"Windows NT"; http_user_agent; content:!"&adurl="; http_uri; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; classtype:trojan-activity; sid:2019545; rev:1236; metadata:created_at 2014_10_28, updated_at 2016_09_20;)

Added 2017-08-07 21:13:49 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"Windows NT"; http_user_agent; content:!"&adurl="; http_uri; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; classtype:trojan-activity; sid:2019545; rev:1236;)

Added 2017-04-19 17:17:28 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"Windows NT"; http_user_agent; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; classtype:trojan-activity; sid:2019545; rev:1235;)

Added 2016-09-22 17:54:45 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; classtype:trojan-activity; sid:2019545; rev:1234;)

Added 2014-10-29 17:48:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; classtype:trojan-activity; sid:2019545; rev:1233;)

Added 2014-10-29 12:52:19 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; pcre:"/\/[a-z]+?\/\?.+?&ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; classtype:trojan-activity; sid:2019545; rev:1232;)

Added 2014-10-28 18:11:43 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats