alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:!"Accept-Language|3A|"; http_header; content:"Accept|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; depth:102; fast_pattern:82,20; http_header; pcre:"/\.jpg(?:\?\d+)?$/U"; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022220; rev:2; metadata:created_at 2015_12_05, updated_at 2020_06_09;)

Added 2021-09-21 20:00:26 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:!"Accept-Language|3A|"; http_header; content:"Accept|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; depth:102; fast_pattern:82,20; http_header; pcre:"/\.jpg(?:\?\d+)?$/U"; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022220; rev:2; metadata:created_at 2015_12_04, updated_at 2020_06_09;)

Added 2020-06-09 18:00:57 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:!"Accept-Language|3A|"; http_header; content:"Accept|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; depth:102; fast_pattern:82,20; http_header; pcre:"/\.jpg(?:\?\d+)?$/U"; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022220; rev:2; metadata:created_at 2015_12_04, updated_at 2015_12_04;)

Added 2018-09-13 19:52:03 UTC


Added 2018-09-13 18:00:35 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:!"Accept-Language|3A|"; http_header; content:"Accept|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; depth:102; fast_pattern:82,20; http_header; pcre:"/\.jpg(?:\?\d+)?$/U"; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022220; rev:2; metadata:created_at 2015_12_04, updated_at 2015_12_04;)

Added 2017-08-07 21:17:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:!"Accept-Language|3A|"; http_header; content:"Accept|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; depth:102; fast_pattern:82,20; http_header; pcre:"/\.jpg(?:\?\d+)?$/U"; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022220; rev:2;)

Added 2015-12-04 17:45:19 UTC



This topic: Main > 2022220
Topic revision: r1 - 2021-09-22 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats