Rule History

SID: 2008559 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 8 • Jul 30, 2010, 12:00 PM

Message:

ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; classtype:trojan-activity; sid:2008559; rev:8; metadata:created_at 2010_07_30, confidence Medium, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_09_27;)

Created:

Jul 30, 2010, 12:00 PM

Updated:

Sep 27, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Oct 21, 2025, 10:35 PM

Filename:

rules/emerging-attack_response.rules