rule wineggdrop : portscanner
{
meta:
author = "Christian Rebischke (@sh1bumi)"
date = "2015-09-05"
description = "Rules for TCP Portscanner VX.X by WinEggDrop"
in_the_wild = true
family = "Hackingtool/Portscanner"
strings:
$a = { 54 43 50 20 50 6f 72 74 20 53 63 61 6e 6e 65 72
20 56 3? 2e 3? 20 42 79 20 57 69 6e 45 67 67 44
72 6f 70 0a }
$b = "Result.txt"
$c = "Usage: %s TCP/SYN StartIP [EndIP] Ports [Threads] [/T(N)] [/(H)Banner] [/Save]\n"
condition:
//check for MZ Signature at offset 0
uint16(0) == 0x5A4D
and
//check for wineggdrop specific strings
$a and $b and $c
}