From 02ea91ec8bfbce2277e6ca585d78b657c5e49ce2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 19:09:07 +0100 Subject: [PATCH] Update proxy_ursnif_malware.yml --- rules/proxy/proxy_ursnif_malware.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml index 09bf0edac..1445ed4f3 100644 --- a/rules/proxy/proxy_ursnif_malware.yml +++ b/rules/proxy/proxy_ursnif_malware.yml @@ -4,12 +4,15 @@ status: stable description: Detects download of Ursnif malware done by dropper documents. author: Thomas Patzke date: 2019/12/19 -modified: 2020/09/03 +modified: 2020/11/28 logsource: category: proxy detection: selection: - c-uri|endswith: '/*.php?l=*.cab' + c-uri|contains|all: + - '/' + - '.php?l=' + c-uri|endswith: '.cab' sc-status: 200 condition: selection fields: