32 lines
663 B
Text
32 lines
663 B
Text
|
rule blackrev
|
||
|
{
|
||
|
meta:
|
||
|
author = "Dennis Schwarz"
|
||
|
date = "2013-05-21"
|
||
|
description = "Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/"
|
||
|
strings:
|
||
|
$base1 = "http"
|
||
|
$base2 = "simple"
|
||
|
$base3 = "loginpost"
|
||
|
$base4 = "datapost"
|
||
|
|
||
|
$opt1 = "blackrev"
|
||
|
$opt2 = "stop"
|
||
|
$opt3 = "die"
|
||
|
$opt4 = "sleep"
|
||
|
$opt5 = "syn"
|
||
|
$opt6 = "udp"
|
||
|
$opt7 = "udpdata"
|
||
|
$opt8 = "icmp"
|
||
|
$opt9 = "antiddos"
|
||
|
$opt10 = "range"
|
||
|
$opt11 = "fastddos"
|
||
|
$opt12 = "slowhttp"
|
||
|
$opt13 = "allhttp"
|
||
|
$opt14 = "tcpdata"
|
||
|
$opt15 = "dataget"
|
||
|
|
||
|
condition:
|
||
|
all of ($base*) and 5 of ($opt*)
|
||
|
}
|