Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EUPUDS.A Requests for Boleto replacement"; flow:established,to_server; urilen:10; http.request_line; content:"POST /index.php HTTP/1."; fast_pattern; http.header_names; content:"Content-Type|0d 0a|"; content:"Content-Length|0d 0a|"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Cache-Control|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; http.host; content:!"antia-client-log.puzzleplusgames.net"; http.request_body; pcre:"/^[a-f0-9]{8}\x3d(?:[A-Za-z0-9-_]{4})*(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=|[A-Za-z0-9-_]{4})$/i"; reference:url,blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research-July-2-FINALr2.pdf; classtype:trojan-activity; sid:2018793; rev:9; metadata:created_at 2014_07_28, deprecation_reason Age, signature_severity Major, updated_at 2024_05_29, reviewed_at 2024_03_15;)