alert http $HOME_NET any -> 92.63.0.0/16 any (msg:"ET TROJAN Maze/ID Ransomware Activity"; flow:established,to_server; urilen:>1; content:"POST"; http_method; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|AS|3b 20|rv|3a|11.0) like Gecko"; http_user_agent; depth:72; isdataat:!1,relative; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category TROJAN; reference:md5,f83fb9ce6a83da58b20685c1d7e1e546; reference:md5,9823800f063a1d4ee7a749961db7540f; classtype:trojan-activity; sid:2027392; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Maze, signature_severity Major, created_at 2019_05_29, updated_at 2019_06_03;)

Added 2019-06-03 18:23:57 UTC


alert http $HOME_NET any -> 92.63.0.0/16 any (msg:"ET TROJAN Possible Maze Ransomware Activity"; flow:established,to_server; urilen:>1; content:"POST"; http_method; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|AS|3b 20|rv|3a|11.0) like Gecko"; http_user_agent; depth:72; isdataat:!1,relative; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; threshold:type both, track by_dst, count 3, seconds 120; metadata: former_category TROJAN; reference:md5,f83fb9ce6a83da58b20685c1d7e1e546; reference:md5,9823800f063a1d4ee7a749961db7540f; classtype:trojan-activity; sid:2027392; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Maze, signature_severity Major, created_at 2019_05_29, updated_at 2019_05_29;)

Added 2019-05-29 19:52:19 UTC


Topic revision: r1 - 2019-06-03 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats