alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern; http_user_agent; pcre:"/^\/(?:[a-z]+\/)?$/U"; pcre:"/^Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows\x20NT\x20\d+\.\d+\x3b\x20SV1\x29$/V"; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; classtype:trojan-activity; sid:2019881; rev:4; metadata:created_at 2014_12_06, updated_at 2019_05_22;)

Added 2019-05-22 20:30:37 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern; http_user_agent; pcre:"/^\/(?:[a-z]+\/)?$/U"; pcre:"/^Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows\x20NT\x20\d+\.\d+\x3b\x20SV1\x29$/V"; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; classtype:trojan-activity; sid:2019881; rev:4; metadata:created_at 2014_12_06, updated_at 2019_05_22;)

Added 2019-05-22 19:32:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern:only; http_user_agent; content:!"Content-Type"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/^\/(?:[a-z]+\/)?$/U"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a|"; http_header; depth:24; pcre:"/^Accept\x3a\x20\*\/\*\r\nUser-Agent\x3a\x20Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows NT \d+\.\d+\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20\d{3,}\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2019881; rev:3; metadata:created_at 2014_12_06, updated_at 2014_12_06;)

Added 2018-09-13 19:50:00 UTC


Added 2018-09-13 17:59:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern:only; http_user_agent; content:!"Content-Type"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/^\/(?:[a-z]+\/)?$/U"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a|"; http_header; depth:24; pcre:"/^Accept\x3a\x20\*\/\*\r\nUser-Agent\x3a\x20Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows NT \d+\.\d+\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20\d{3,}\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2019881; rev:3; metadata:created_at 2014_12_06, updated_at 2014_12_06;)

Added 2017-08-07 21:14:14 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern:only; http_header; content:!"Content-Type"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/^\/(?:[a-z]+\/)?$/U"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a|"; http_header; depth:24; pcre:"/^Accept\x3a\x20\*\/\*\r\nUser-Agent\x3a\x20Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows NT \d+\.\d+\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20\d{3,}\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2019881; rev:2;)

Added 2015-03-09 21:22:32 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern:only; http_header; content:!"Content-Type"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/^\/(?:[a-z]+\/)?$/U"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a|"; http_header; depth:24; pcre:"/^Accept\x3a\x20\*\/\*\r\nUser-Agent\x3a\x20Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows NT \d+\.\d+\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20\d{3,}\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,2b377a9d2f597f4a010e6a5de9b0c00a; classtype:trojan-activity; sid:2019881; rev:2;)

Added 2014-12-23 15:21:58 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Adromedins/Androkins Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern:only; http_header; content:!"Content-Type"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/^\/(?:[a-z]+\/)?$/U"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a|"; http_header; depth:24; pcre:"/^Accept\x3a\x20\*\/\*\r\nUser-Agent\x3a\x20Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows NT \d+\.\d+\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20\d{3,}\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,2b377a9d2f597f4a010e6a5de9b0c00a; classtype:trojan-activity; sid:2019881; rev:2;)

Added 2014-12-06 14:46:45 UTC


Topic revision: r1 - 2019-05-23 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats