Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Formgrabber Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"c="; depth:2; content:"&v="; distance:0; content:"&h="; distance:0; content:"&t="; fast_pattern; distance:0; pcre:"/^c=[A-F0-9]{10,}&v=[^&]+&h=[^&]+&t=[0-9]$/si"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cb066c5625aa85957d6b8d4caef4e497; reference:url,thisissecurity.stormshield.com/2017/09/28/analyzing-form-grabber-malware-targeting-browsers; classtype:trojan-activity; sid:2024781; rev:3; metadata:created_at 2017_09_28, malware_family Win32_Formgrabber, confidence High, signature_severity Major, updated_at 2020_08_12;)