Versions (4)
Version DetailsCurrent
Rev: 5 • Jul 27, 2012, 12:00 PMET MALWARE ZeroAccess HTTP GET request
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess HTTP GET request"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?w="; fast_pattern; content:"&i="; content:"&v="; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/"; http.header_names; content:"|0d 0a|Host|0d 0a|"; startswith; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|"; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2015535; rev:5; metadata:created_at 2012_07_27, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_27;)
Jul 27, 2012, 12:00 PM
Feb 27, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 13, 2025, 9:34 PM
rules/emerging-malware.rules