#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:""; pcre:"/^\s*?(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:trojan-activity; sid:2025044; rev:3; metadata:created_at 2016_06_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)

Added 2022-05-19 19:06:45 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:""; pcre:"/^\s*?(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:trojan-activity; sid:2025044; rev:2; metadata:created_at 2016_06_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)

Added 2020-08-05 19:14:12 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:""; pcre:"/^\s*?(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025044; rev:2; metadata:created_at 2016_06_11, updated_at 2018_06_18;)

Added 2018-09-13 19:54:22 UTC


Added 2018-09-13 18:01:56 UTC


#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:""; pcre:"/^\s*?(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025044; rev:2; metadata:created_at 2016_06_11, updated_at 2018_06_18;)

Added 2018-06-18 16:40:47 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:""; pcre:"/^\s*?(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025044; rev:2; metadata:created_at 2016_06_11, updated_at 2017_11_27;)

Added 2017-11-27 16:30:29 UTC


Topic revision: r1 - 2022-05-19 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats