Versions (3)
Version DetailsCurrent
Rev: 4 • Nov 17, 2015, 12:00 PMET MALWARE r0 CnC Architecture GET 3
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/armel?ver="; depth:11; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022108; rev:4; metadata:created_at 2015_11_17, signature_severity Major, updated_at 2020_06_09;)
Nov 17, 2015, 12:00 PM
Jun 9, 2020, 12:00 PM
Nov 17, 2015, 12:00 PM
Sep 10, 2024, 1:01 PM
rules/emerging-malware.rules