ET MALWARE Possible DarkRats Tor Traffic

SID: 2033387Rev: 20 viewsHistory

Sourceet/open

CreatedJuly 22, 2021

UpdatedJuly 22, 2021

Classificationtrojan-activity

alert tls $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible DarkRats Tor Traffic"; flow:established,from_server; tls.cert_issuer; content:"CN=www"; startswith; content:".com"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.com$/"; tls.cert_subject; content:"CN=www"; startswith; content:".net"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.net$/"; xbits:isset,ET.ipcheck,track ip_dst; xbits:isset,ET.dropsite,track ip_dst; classtype:trojan-activity; sid:2033387; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, performance_impact Significant, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_22, reviewed_at 2024_05_07;)

Metadata

attack targetClient_Endpoint

created at2021_07_22

deploymentPerimeter

performance impactSignificant

confidenceMedium

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2021_07_22

reviewed at2024_05_07

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!