Versions (5)
Version DetailsCurrent
Rev: 8 • Dec 6, 2014, 12:00 PMET MALWARE Chthonic Check-in
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Check-in"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\\x2f(?:[a-z]+\\x2f)?$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; pcre:"/^Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows\x20NT\x20\d+\.\d+\x3b\x20SV1\x29$/"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; classtype:trojan-activity; sid:2019881; rev:8; metadata:created_at 2014_12_06, deprecation_reason Performance, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_25;)
Dec 6, 2014, 12:00 PM
Nov 25, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 24, 2025, 9:34 PM
rules/emerging-malware.rules