[Emerging-Sigs] ALRETID 2011588

Francis Trudeau trudeauf at gmail.com
Thu Nov 21 13:22:01 HST 2019


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus Bot
Connectivity Check"; flow:established,to_server; urilen:1;
content:"GET"; http_method; content:"Mozilla/"; http_user_agent;
depth:8; content:!"login.live.com"; http_host; isdataat:!1,relative;
content:!"google.com"; http_host; isdataat:!1,relative;
content:!"www.bing.com"; http_host; isdataat:!1,relative;
content:!"yandex.ru"; http_host; isdataat:!1,relative; http_protocol;
content:"HTTP/1.1"; http_connection; content:"close"; nocase;
http_header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d
0a|User-Agent|0d 0a|"; content:!"Referer";
reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus;
reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html;
classtype:trojan-activity; sid:2011588; rev:22; metadata:created_at
2010_10_01, updated_at 2019_09_28;)

Probably time for retirement, if not, please add

content:!"linkedin.com"; http_host; isdataat:!1,relative;


More information about the Emerging-sigs mailing list