Versions (3)
Version DetailsCurrent
Rev: 3 • Jun 17, 2014, 12:00 PMET MALWARE W32/Asprox.Bot Knock Variant CnC Beacon
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.Bot Knock Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{20,}+$/"; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})$/i"; http.request_body; content:"<knock>"; fast_pattern; depth:7; content:"<ID>"; within:6; content:"<group>"; distance:0; content:"<version>"; distance:0; content:"<status>"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html; classtype:command-and-control; sid:2018574; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_06_17, deployment Perimeter, signature_severity Major, tag c2, updated_at 2020_04_30, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)Jun 17, 2014, 12:00 PM
Apr 30, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-malware.rules