alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Pottieq.A Check-in"; flow:established,to_server; content:"POST"; http_method; content:!"Accept"; http_header; content:"pc="; http_client_body; content:"mail="; http_client_body; content:"guid="; nocase; http_client_body; content:!"Cookie|3a 20|"; content:!"Referer|3a 20|"; http_header; content:"User-Agent|3a 20 7b|"; http_header; fast_pattern; pcre:"/^User-Agent\x3a\x20\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}\r?$/Hmi"; pcre:"/(?:^|&)id=\d+(?:$|&)/P"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Pottieq, signature_severity Major, created_at 2016_07_27, malware_family Pottieq, performance_impact Low, updated_at 2019_10_07;)

Added 2019-10-08 19:34:39 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Pottieq.A Check-in"; flow:established,to_server; content:"POST"; http_method; content:!"Accept"; http_header; content:"pc="; http_client_body; content:"mail="; http_client_body; content:"guid="; nocase; http_client_body; content:!"Cookie|3a 20|"; content:!"Referer|3a 20|"; http_header; content:"User-Agent|3a 20 7b|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}\r?$/Hmi"; pcre:"/(?:^|&)id=\d+(?:$|&)/P"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Pottieq, signature_severity Major, created_at 2016_07_27, malware_family Pottieq, performance_impact Low, updated_at 2016_07_27;)

Added 2017-08-07 21:18:01 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Pottieq.A Check-in"; flow:established,to_server; content:"POST"; http_method; content:!"Accept"; http_header; content:"pc="; http_client_body; content:"mail="; http_client_body; content:"guid="; nocase; http_client_body; content:!"Cookie|3a 20|"; content:!"Referer|3a 20|"; http_header; content:"User-Agent|3a 20 7b|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}\r?$/Hmi"; pcre:"/(?:^|&)id=\d+(?:$|&)/P"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:2;)

Added 2016-07-27 17:58:29 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats