Versions (4)
Version DetailsCurrent
Rev: 4 • Jul 23, 2015, 12:00 PMET RETIRED PoisonIvy HTTP CnC Beacon
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET RETIRED PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:command-and-control; sid:2021523; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2024_12_05, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
Jul 23, 2015, 12:00 PM
Dec 5, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-retired.rules