Versions (3)
Version DetailsCurrent
Rev: 9 • Jul 30, 2010, 12:00 PMET SCAN HZZP Scan in Progress calc in Headers
alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; http.method; content:"GET"; http.header; content:"C|3a|/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; classtype:attempted-recon; sid:2011028; rev:9; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2020_09_14;)
Jul 30, 2010, 12:00 PM
Sep 14, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-scan.rules