Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbon FormGrabber/Retgate.A/Rombertik Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name="; content:"&host="; content:"&browser="; content:"&post="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,symantec.com/connect/blogs/european-automobile-businesses-fall-prey-carbon-grabber; reference:md5,72bab43e406c9e325e49e27b22853b60; reference:url,blogs.cisco.com/security/talos/rombertik; reference:md5,f504ef6e9a269e354de802872dc5e209; classtype:command-and-control; sid:2021055; rev:6; metadata:created_at 2015_05_04, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_30;)