ET MALWARE IRC Potential bot scan/exploit command

7.0.35.0SID: 2002030Rev: 19Enabled2 views
Sourceet/open
Fileemerging-malware.rules
CreatedJuly 30, 2010
UpdatedMarch 15, 2024
Classificationtrojan-activity
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot scan/exploit command"; flow:established,to_client; flowbits:isset,is_proto_irc; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; classtype:trojan-activity; sid:2002030; rev:19; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2024_03_15;)

Metadata

created at2010_07_30
signature severityMajor
updated at2024_03_15

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!