Versions (5)
Version DetailsCurrent
Rev: 6 • Dec 2, 2015, 12:00 PMET MALWARE Ponmocup HTTP Request (generic) M8
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M8"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022204; rev:6; metadata:created_at 2015_12_02, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_05_01;)
Dec 2, 2015, 12:00 PM
May 1, 2024, 12:00 PM
Dec 2, 2015, 12:00 PM
Oct 6, 2025, 9:38 PM
rules/emerging-malware.rules