Last active
February 26, 2018 18:18
-
-
Save ptresearch/2cf0c56a69e6f984896c4824a31cb1c5 to your computer and use it in GitHub Desktop.
Adwind RAT suricata rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################## Adwind RAT | |
alert tls $EXTERNAL_NET any -> $HOME_NET any ( msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow: established, to_client;content: "|3082|";depth:300; content: "|3082|";distance:2;within:2; content: "|a00302010202|";distance:2;within:6; flowbits: set, FB332502_; threshold: type limit, track by_src, count 1, seconds 30; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024751; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;) | |
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow: established, to_server; content: "|1703|"; depth:2; content: "|0040|"; distance:1; within:2; fast_pattern; stream_size: server, >,1689; stream_size: server, <,2124; stream_size: client, >,447; stream_size: client, <,1722; flowbits: isset, FB332502_; flowbits: set, FB332502_0; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024752; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;) | |
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow: established, to_client; content: "|1703|"; depth:2; content: "|0040|"; distance:1; within:2; fast_pattern; stream_size: server, >,1658; stream_size: server, <,2124; stream_size: client, >,447; stream_size: client, <,1722; flowbits: isset, FB332502_0; flowbits: unset, FB332502_0; flowbits: set, FB332502_1; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;) | |
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow: established, to_server; content: "|1703|"; depth:2; byte_test: 2, >=,900, 1, relative; byte_test: 2, <=,1100, 1, relative; stream_size: server, >,1758; stream_size: server, <,2124; stream_size: client, >,1376; stream_size: client, <,5922; flowbits: isset, FB332502_1; flowbits: unset, FB332502_1; flowbits: set, FB332502_2; flowbits: noalert ; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;) | |
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow: established, to_client; content: "|1703|"; depth:2; content: "|0050|"; distance:1; within:2; fast_pattern; stream_size: server, >,1843; stream_size: server, <,2924; stream_size: client, >,1476; stream_size: client, <,9722; flowbits: isset, FB332502_2; flowbits: unset, FB332502_2; flowbits: set, FB332502_3; flowbits: noalert;metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024755; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_02_26;) | |
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu"; flow: established, to_client; content: "|1703|"; depth:2; content: "|0050|"; distance:1; within:2; fast_pattern; stream_size: server, >,1843; stream_size: server, <,3036; stream_size: client, >,1476; stream_size: client, <,9834; flowbits: isset, FB332502_3; flowbits: unset, FB332502_3; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; sid:2024756; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_02_14;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment