Et rule 2029739 - Magic-SigExplorer

""ET TROJAN Win32/Milum CnC""

SID: 2029739

Revision: 3

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_03_25

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "|0d 0a 0d 0a|md="
Value: "POST"
Value: ".php"
Value: "md=" Depth: 3
Value: "&nk="
Value: "&val="
Value: "|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"

Within:

PCRE: "/&val=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"

Special Options:

fast_pattern
http_method
http_uri
http_client_body
http_client_body
http_client_body
http_header

source