alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; http_header; content:!"Content-Type|3a|"; http_header; pcre:"/^.{0,15}[\x00-\x09\x80-\xff]/Ps";flowbits:set,ET.Sage.Primer; flowbits:noalert; metadata: former_category MALWARE; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:trojan-activity; sid:2023766; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_01_25, malware_family Ransomware, malware_family Sage, performance_impact Low, updated_at 2019_10_07;)

Added 2019-10-08 19:34:43 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; http_header; content:!"Content-Type|3a|"; http_header; pcre:"/^.{0,15}[\x00-\x09\x80-\xff]/Ps";flowbits:set,ET.Sage.Primer; flowbits:noalert; metadata: former_category MALWARE; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:trojan-activity; sid:2023766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_01_25, malware_family Ransomware, malware_family Sage, performance_impact Low, updated_at 2017_01_25;)

Added 2019-09-26 19:58:18 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; http_header; content:!"Content-Type|3a|"; http_header; pcre:"/^.{0,15}[\x00-\x09\x80-\xff]/Ps";flowbits:set,ET.Sage.Primer; flowbits:noalert; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:trojan-activity; sid:2023766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_01_25, malware_family Ransomware, malware_family Sage, performance_impact Low, updated_at 2017_01_25;)

Added 2017-08-07 21:18:59 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; http_header; content:!"Content-Type|3a|"; http_header; pcre:"/^.{0,15}[\x00-\x09\x80-\xff]/Ps";flowbits:set,ET.Sage.Primer; flowbits:noalert; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:trojan-activity; sid:2023766; rev:2;)

Added 2017-01-25 17:30:21 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats