ET MALWARE Gulpix/PlugX Client Request
Sourceet/open
Fileemerging-malware.rules
CreatedFebruary 21, 2014
UpdatedApril 7, 2024
Classificationtrojan-activity
alert http1 $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gulpix/PlugX Client Request"; flow:established,to_server ; http.method; content:"POST"; http.header; content:"1|3a 20|"; content:"2|3a 20|"; distance:0; content:"3|3a 20|"; distance:0; pcre:"/^(?P<vname>[^\r\n\x3a]+)(?P<n1>[0-4])\x3a\x20\d+\r\n(?P=vname)(?P<n2>((?!(?P=n1))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?P<n3>((?!((?P=n1)|(?P=n2)))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?:(?!((?P=n1)|(?P=n2)))[0-4])\x3a\x20\d+\r\n/m" ; http.header_names; content:!"Referer"; reference:md5,663d7774b6727a070b558676cee9fe43 ; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html ; classtype:trojan-activity; sid:2018169; rev:7; metadata:created_at 2014_02_21, signature_severity Major, updated_at 2024_04_07;)
References
Metadata
created at2014_02_21
signature severityMajor
updated at2024_04_07
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!