title: Chafer Malware URL Pattern
status: experimental
description: Detects HTTP requests used by Chafer malware
references:
    - https://securelist.com/chafer-used-remexi-malware/89538/
author: Florian Roth
date: 2019/01/31
logsource:
    category: proxy
detection:
    selection:
        c-uri-query: '*/asp.asp?ui=*'
    condition: selection
fields:
    - ClientIP
    - URL
    - UserAgent
falsepositives:
    - Unknown
level: critical