Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz / Asprox checkin"; flow:established,to_server; http.uri; content:"/api/"; fast_pattern; pcre:"/^\/(?:components|wp-content|tmp)/api/[a-zA-Z0-9\/\x20]{43}=\/(?:toll|inv|notice|get_label)$/"; reference:url,garwarner.blogspot.com/2014/07/e-zpass-spam-leads-to-location-aware.html; reference:url,blog.malcovery.com/blog/more-information-on-this-weeks-e-zpass-scam; classtype:command-and-control; sid:2018739; rev:4; metadata:created_at 2014_07_18, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_24;)