alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (ELF/Rekoobe CnC?)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|17|kooktijd.acc.dynapps.be"; distance:1; within:25; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 0a|"; distance:0; content:"|0d|Let's Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|1a|Let's Encrypt Authority X3"; distance:1; within:27; metadata: former_category MALWARE; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:trojan-activity; sid:2029307; rev:2; metadata:affected_product Linux, created_at 2020_01_22, malware_family Rekoobe, updated_at 2020_01_22;)

Added 2020-01-22 18:26:38 UTC


Topic revision: r1 - 2020-01-22 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats