Added 2019-12-11 19:21:46 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious VBS Encoding Observed in Unknown EK"; flow:established,to_client; http_content_type; content:"application/octet-stream"; file_data; content:"Execute chr("; depth:12; fast_pattern; pcre:"/^-?\d+[/+]/R"; content:"CLng(&H"; within:7; pcre:"/^[A-F0-9]+/R"; content:"))&chr("; within:7; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; classtype:bad-unknown; sid:2029112; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_11, updated_at 2019_12_11;)
Added 2019-12-11 18:42:44 UTC