Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data 2"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; content:"/0000"; distance:1; fast_pattern; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; classtype:trojan-activity; sid:2022016; rev:4; metadata:created_at 2015_11_02, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_22;)