alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern:only; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:trojan-activity; sid:2020082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy?, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_12_29, malware_family Nuclear, updated_at 2016_07_01;)

Added 2019-03-26 18:09:16 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern:only; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:trojan-activity; sid:2020082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy?, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_12_29, malware_family Nuclear, updated_at 2016_07_01;)

Added 2017-08-07 21:14:29 UTC


Topic revision: r1 - 2019-03-26 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats