alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot? .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; http_uri; content:".bin"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"AskTbARS"; http_header; content:!".passport.net"; http_host; isdataat:!1,relative; content:!".microsoftonline-p.net"; http_host; isdataat:!1,relative; content:!".symantec.com"; http_host; isdataat:!1,relative; content:!".qq.com"; http_host; isdataat:!1,relative; content:!"kankan.com"; http_host; isdataat:!1,relative; content:!"aocdn.net"; http_host; http_header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022841; rev:4; metadata:created_at 2016_05_27, former_category CURRENT_EVENTS, updated_at 2020_10_30;)

Added 2020-11-24 17:54:51 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot? .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; http_uri; content:".bin"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"AskTbARS"; http_header; content:!".passport.net"; http_host; isdataat:!1,relative; content:!".microsoftonline-p.net"; http_host; isdataat:!1,relative; content:!".symantec.com"; http_host; isdataat:!1,relative; content:!".qq.com"; http_host; isdataat:!1,relative; content:!"kankan.com"; http_host; isdataat:!1,relative; content:!"aocdn.net"; http_host; http_header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022841; rev:4; metadata:created_at 2016_05_27, updated_at 2020_10_30;)

Added 2020-10-30 20:26:02 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot? .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; http_uri; content:".bin"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"AskTbARS"; http_header; content:!".passport.net"; http_host; isdataat:!1,relative; content:!".microsoftonline-p.net"; http_host; isdataat:!1,relative; content:!".symantec.com"; http_host; isdataat:!1,relative; content:!".qq.com"; http_host; isdataat:!1,relative; content:!"kankan.com"; http_host; isdataat:!1,relative; content:!"aocdn.net"; http_host; http_header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022841; rev:4; metadata:created_at 2016_05_27, updated_at 2020_02_18;)

Added 2020-02-18 18:33:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot? .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:3; metadata:created_at 2016_05_27, updated_at 2019_10_07;)

Added 2019-10-08 19:34:38 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot? .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:2; metadata:created_at 2016_05_27, updated_at 2016_05_27;)

Added 2018-09-13 19:52:36 UTC


Added 2018-09-13 18:00:57 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot? .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:2; metadata:created_at 2016_05_27, updated_at 2016_05_27;)

Added 2017-08-07 21:17:50 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot? .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:2;)

Added 2016-05-27 17:49:48 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot? .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:2;)

Added 2016-05-27 17:39:06 UTC


Topic revision: r1 - 2020-11-24 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats