Versions (4)
Version DetailsCurrent
Rev: 5 • Jun 24, 2014, 12:00 PMET MALWARE Citadel Checkin
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Checkin"; flow:established,to_server; flowbits:set,et.citadel; http.method; content:"POST"; http.uri; content:"/file.php"; fast_pattern; pcre:"/^\/[A-Za-z0-9]+?\/file\.php$/"; http.header; content:"Content-Length|3a 20|128|0d 0a|"; nocase; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|"; depth:25; http.header_names; content:!"Referer"; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:command-and-control; sid:2018598; rev:5; metadata:created_at 2014_06_24, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_07;)
Jun 24, 2014, 12:00 PM
Oct 7, 2020, 12:00 PM
Jun 24, 2014, 12:00 PM
Oct 22, 2025, 9:34 PM
rules/emerging-malware.rules