alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:6; http_uri; content:"/"; distance:1; within:2; http_uri; content:"/"; distance:1; within:1; http_uri; content:"/"; distance:1; within:1; http_uri; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/U"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/Hmi"; content:" HTTP/1.1|0d 0a|User-Agent"; fast_pattern; classtype:trojan-activity; sid:2020369; rev:4; metadata:created_at 2015_02_05, updated_at 2019_10_07;)

Added 2019-10-08 19:34:20 UTC


alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:6; http_uri; content:"/"; distance:1; within:2; http_uri; content:"/"; distance:1; within:1; http_uri; content:"/"; distance:1; within:1; http_uri; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/U"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/Hmi"; content:" HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; classtype:trojan-activity; sid:2020369; rev:3; metadata:created_at 2015_02_05, updated_at 2015_02_05;)

Added 2018-09-13 19:50:32 UTC


Added 2018-09-13 17:59:41 UTC


alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:6; http_uri; content:"/"; distance:1; within:2; http_uri; content:"/"; distance:1; within:1; http_uri; content:"/"; distance:1; within:1; http_uri; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/U"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/Hmi"; content:" HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; classtype:trojan-activity; sid:2020369; rev:3; metadata:created_at 2015_02_05, updated_at 2015_02_05;)

Added 2017-08-07 21:14:50 UTC


alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:6; http_uri; content:"/"; distance:1; within:2; http_uri; content:"/"; distance:1; within:1; http_uri; content:"/"; distance:1; within:1; http_uri; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/U"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/Hmi"; content:" HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; classtype:trojan-activity; sid:2020369; rev:3;)

Added 2015-02-06 16:45:59 UTC


alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<41; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:6; http_uri; content:"/"; distance:1; within:2; http_uri; content:"/"; distance:1; within:1; http_uri; content:"/"; distance:1; within:1; http_uri; isdataat:!1,relative; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/$/U"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/Hmi"; content:"/ HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; classtype:trojan-activity; sid:2020369; rev:2;)

Added 2015-02-05 18:37:34 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats