Rule History

SID: 2016258 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 3 • Jan 24, 2013, 12:00 PM

Message:

ET DELETED Win32/Kelihos.F Checkin 2

Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:3; metadata:created_at 2013_01_24, signature_severity Unknown, updated_at 2019_07_26;)

Created:

Jan 24, 2013, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-deleted.rules