Rule History

SID: 2020893 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 2 • Apr 11, 2015, 12:00 PM

Message:

ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, confidence High, signature_severity Minor, tag DriveBy, updated_at 2019_07_26;)

Created:

Apr 11, 2015, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Apr 11, 2015, 12:00 PM

DB Updated:

Sep 19, 2024, 11:00 PM

Filename:

rules/emerging-web_client.rules