alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Win32/Spy.RTM/Redaman IP Check"; flow: established, to_server; content:"GET"; http_method; content:"/index_small.php"; http_uri; fast_pattern; isdataat:!1, relative; content:"Cache-Control|3a 20|no-cache"; http_header; depth:24; content:"Connection|3a 20|Close"; http_header; within:19; content:"Pragma|3a 20|no-cache"; http_header; within:18; content:"Accept|3a 20|text/html, application/xhtml+xml, */*"; http_header; within:47; content:"Accept-Language|3a 20|en-US"; http_header; within:24; content:"Host|3a 20|"; http_header; within:8; isdataat:!35,relative; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2027025; rev:2; metadata:created_at 2019_03_04, updated_at 2019_03_04;)

Added 2019-03-04 20:28:19 UTC

Topic revision: r1 - 2019-03-05 - TWikiGuest
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats