Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC POST"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/r0/index.php"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021839; rev:4; metadata:created_at 2015_09_25, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_06_01;)