Rule History

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC potential reptile commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/\.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; classtype:trojan-activity; sid:2002363; rev:15; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)