Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; http.method; content:"POST"; nocase; http.host; content:!"nvidia.com"; endswith; content:!"dc.services.visualstudio.com"; endswith; content:!".avg.com"; endswith; content:!"bitdefender.net"; endswith; content:!"svc.iolo.com"; endswith; content:!".lavasoft.com"; endswith; content:!"canonicalizer.ucsuri.tcs"; content:!"sentry.io"; endswith; http.user_agent; content:!"Elastic-winlogbeat"; startswith; http.request_body; content:"C|3a 5c 5c|WINDOWS|5c|"; fast_pattern; nocase; classtype:trojan-activity; sid:2011341; rev:19; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2010_09_28, deployment Perimeter, confidence Low, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_20;)