alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursa Loader CnC? Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http_user_agent; fast_pattern; pcre:"/^[a-z]{1,10}=[A-Z]+(?:&[a-z]{1,10}=[A-Z]+){2,}$/Ps"; http_request_line; content:"POST / HTTP/1.0"; depth:15; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,d05af060e3e104dea638f17c4bceb5ac; classtype:trojan-activity; sid:2026756; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_12_07, malware_family Ursa_Loader, performance_impact Moderate, updated_at 2018_12_07;)

Added 2019-01-04 19:41:18 UTC


Topic revision: r1 - 2019-01-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats