SA-SOSDG/30_virus.cf

18 lines
1.0 KiB
CFEngine3

# Subject: Your wife photos attached
header SOSDG_VIRUS_WIFE1 Subject =~ /your (wife|wifes|wife's) (photo|photos) attached/i
describe SOSDG_VIRUS_WIFE1 Subject is common virus/trojan sign
score SOSDG_VIRUS_WIFE1 3.0
body __LOCKY_TEST1 /I am sending copies of the documents as attachments/i
body __LOCKY_TEST2 /Thank you very much for your reply/i
body __LOCKY_TEST3 /I have attached the financial report you requested./i
body __LOCKY_TEST4 /I am sending you the invoice you requested/i
body __LOCKY_TEST5 /Attached please find the documents you requested/i
body __LOCKY_TEST6 /wrong data file you received from me/i
body __LOCKY_TEST7 /attached is concerned with the company database/i
mimeheader __ZIP_ATTACHED Content-Type =~ /zip/i
meta SOSDG_LOCKY_RANSOMWARE1 (( __LOCKY_TEST1 + __LOCKY_TEST2 + __LOCKY_TEST3 + __LOCKY_TEST4 + __LOCKY_TEST5 + __LOCKY_TEST6 + __LOCKY_TEST7 + __ZIP_ATTACHED ) > 1)
score SOSDG_LOCKY_RANSOMWARE1 4.0
describe SOSDG_LOCKY_RANSOMWARE1 Common patterns for Locky ransomware