Versions (3)
Version DetailsCurrent
Rev: 19 • May 5, 2014, 12:00 PMET MALWARE CryptoWall Check-in
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in"; flow:established,to_server; urilen:<134; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; depth:24; content:!"Accept-"; nocase; content:!"Referer"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:19; metadata:created_at 2014_05_05, deprecation_reason Performance, performance_impact Significant, signature_severity Major, updated_at 2024_04_08;)
May 5, 2014, 12:00 PM
Apr 8, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-malware.rules