Versions (3)
Version DetailsCurrent
Rev: 5 • Dec 3, 2014, 12:00 PMET MALWARE Vawtrak/NeverQuest Posting Data
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:".php?i="; content:"&data="; distance:0; content:"&hash="; fast_pattern; pcre:"/&hash=[^&]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,13c982c3b9c1ef714770820ffa278d2e; classtype:trojan-activity; sid:2019843; rev:5; metadata:created_at 2014_12_03, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_28;)
Dec 3, 2014, 12:00 PM
Sep 28, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 1, 2025, 9:34 PM
rules/emerging-malware.rules