Rule History

SID: 2019631 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 2 • Nov 3, 2014, 12:00 PM

Message:

ET MALWARE Win32.TrojanProxy Configuration file Download

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.TrojanProxy Configuration file Download"; flow:established,from_server; file_data; content:"@$@"; fast_pattern; within:3; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x40\x24\x40$/Ri"; reference:url,fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html; classtype:trojan-activity; sid:2019631; rev:2; metadata:created_at 2014_11_03, signature_severity Major, updated_at 2019_07_26;)

Created:

Nov 3, 2014, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Nov 3, 2014, 12:00 PM

DB Updated:

Sep 10, 2024, 1:01 PM

Filename:

rules/emerging-malware.rules