Rule History

SID: 2021440 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 3 • Jul 20, 2015, 12:00 PM

Message:

ET MALWARE KeyBase Keylogger HTTP Pattern

Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger HTTP Pattern"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/post.php?type="; fast_pattern; content:"&machinename="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?/"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021440; rev:3; metadata:created_at 2015_07_20, signature_severity Major, updated_at 2020_05_29;)

Created:

Jul 20, 2015, 12:00 PM

Updated:

May 29, 2020, 12:00 PM

DB Created:

Jul 20, 2015, 12:00 PM

DB Updated:

Sep 10, 2024, 1:01 PM

Filename:

rules/emerging-malware.rules