Rule History

SID: 2027730 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 2 • Jul 19, 2019, 12:00 PM

Message:

ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0)

Rule:

alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027730; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, confidence Medium, signature_severity Major, tag Windigo, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)

Created:

Jul 19, 2019, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 23, 2025, 9:34 PM

Filename:

rules/emerging-malware.rules