alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible APT28 Xtunnel Activity"; flow:established,to_server; content:"GET"; http_method; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|MSIE|20|7.0"; http_user_agent; content:"deflate,sdch|0d 0a|Accept|3a 20|text|2f|html,application|2f|xhtml"; http_header; fast_pattern; http_connection; content:"Close"; pcre:"/^\/(?:\w+\/){1,5}\?[a-z]{1,6}=[a-z0-9]{2,40}(?:&[a-z]{1,6}=(?:[a-z0-9]){1,40}(%3D){0,2}){1,4}$/Ii"; http_header_names; content:!"Referer"; content:!"Cache"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2027405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, deployment Perimeter, tag APT, signature_severity Major, created_at 2019_05_30, malware_family XTunnel, performance_impact Low, updated_at 2019_05_31;)

Added 2019-05-31 18:38:11 UTC


Topic revision: r1 - 2019-05-31 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats