Et rule 2016067 - Magic-SigExplorer

""ET POLICY Possible BitCoin Miner User-Agent (miner)""

SID: 2016067

Revision: 3

Class Type: trojan-activity

Metadata: affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, deployment Datacenter, signature_severity Informational, tag Bitcoin_Miner, updated_at 2021_11_15, reviewed_at 2024_03_25

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "miner"
Value: !"|3a 20|IdleMiner|0d|"
Value: !"|3a 20|CFNetwork|0d|"
Value: !"|2e|kaspersky.com|0d 0a|"

Within:

PCRE: "/User-Agent\x3A[^\r\n]*miner[^a-z]/Hi"

Special Options:

nocase
http_header
http_header
http_header
http_header

source