Et rule 2017599 - Magic-SigExplorer

""ET TROJAN W32.Nemim Checkin""

SID: 2017599

Revision: 3

Class Type: trojan-activity

Metadata: created_at 2013_10_15, updated_at 2015_10_20

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

Value: ".php?a1="
Value: "&a2="
Value: "&a3="

Within:

PCRE: "/.php\?a1=(?:[A-Za-z0-9+/]{4})(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&a2=[a-f0-9]{32}&a3=(?:[A-Za-z0-9+/]{4})(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"

Special Options:

nocase
http_uri
http_uri
nocase
http_uri
nocase

source