Versions (4)
Version DetailsCurrent
Rev: 5 • Dec 12, 2013, 12:00 PMET MALWARE Possible Zbot Activity Common Download Struct
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zbot Activity Common Download Struct"; flow:to_server,established; http.uri; content:".bin"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"passport.net"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:trojan-activity; sid:2017836; rev:5; metadata:created_at 2013_12_12, confidence Medium, signature_severity Major, updated_at 2020_08_12;)
Dec 12, 2013, 12:00 PM
Aug 12, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-malware.rules