[Emerging-Sigs] ALRETID 2011588

Jason Williams jwilliams at emergingthreats.net
Thu Nov 21 13:29:05 HST 2019


Thanks Francis!

On Thu, Nov 21, 2019 at 4:22 PM Francis Trudeau <trudeauf at gmail.com> wrote:

> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus Bot
> Connectivity Check"; flow:established,to_server; urilen:1;
> content:"GET"; http_method; content:"Mozilla/"; http_user_agent;
> depth:8; content:!"login.live.com"; http_host; isdataat:!1,relative;
> content:!"google.com"; http_host; isdataat:!1,relative;
> content:!"www.bing.com"; http_host; isdataat:!1,relative;
> content:!"yandex.ru"; http_host; isdataat:!1,relative; http_protocol;
> content:"HTTP/1.1"; http_connection; content:"close"; nocase;
> http_header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d
> 0a|User-Agent|0d 0a|"; content:!"Referer";
> reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus;
> reference:url,
> lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html
> ;
> classtype:trojan-activity; sid:2011588; rev:22; metadata:created_at
> 2010_10_01, updated_at 2019_09_28;)
>
> Probably time for retirement, if not, please add
>
> content:!"linkedin.com"; http_host; isdataat:!1,relative;
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191121/cfd0b16b/attachment.html>


More information about the Emerging-sigs mailing list