""ET EXPLOIT Observed Mirai/Gafgyt Post Brute Force Activity (GET)""

SID: 2042956

Revision: 1

Class Type: misc-attack

Metadata: attack_target Linux_Unix, created_at 2022_12_16, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2022_12_16

Reference:

  • md5

  • 512d5c2ba6b14f732061fc2f28a72f72

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "GET"

  • Value: "/fuckyou/xd." Depth: 12

  • Value: "User-Agent|3a 20|wget/"

Within:

PCRE: "/^Host\x3a\x20\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$/Hm"

Special Options:

  • http_method

  • http_uri

  • fast_pattern

  • nocase

  • http_header

source