Rule History

alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Win32/Cridex Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z0-9+]+?\/){3}$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Host|3a 20|"; depth:19; content:"Cache-Control|3a 20|no-cache"; distance:0; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080$/"; http.connection; content:"Keep-Alive"; bsize:10; http.content_len; byte_test:0,>,99,0,string,dec; byte_test:0,<,1000,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:command-and-control; sid:2017305; rev:5; metadata:created_at 2013_08_09, malware_family Win32_Cridex, signature_severity Major, updated_at 2020_11_17;)