alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Shlayer CnC? Activity M4"; flow:established,to_server; content:"GET"; http_method; content:"/sd/?c="; http_uri; depth:7; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/RUi"; content:"&u="; http_uri; distance:0; content:"&s="; http_uri; distance:0; content:"&o="; http_uri; distance:0; content:"&b="; http_uri; distance:0; pcre:"/^\d{3,15}$/RU"; metadata: former_category TROJAN; reference:url,; classtype:trojan-activity; sid:2026913; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_02_14, malware_family Shlayer, performance_impact Low, updated_at 2019_02_14;)

Added 2019-02-14 17:32:46 UTC

This topic: Main > 2026913
Topic revision: r1 - 2019-02-14 - TWikiGuest
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats