Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/loader.php?name="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,7e47a518561c46123d4facd43effafbf; classtype:command-and-control; sid:2020883; rev:7; metadata:created_at 2015_04_09, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_30;)