Back to Rule

Rule History

SID: 2013414 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 11Aug 17, 2011, 12:00 PM

ET POLICY Executable served from Amazon S3

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"|0d 0a|Server|3A| AmazonS3"; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:11; metadata:created_at 2011_08_17, performance_impact Moderate, confidence High, signature_severity Informational, updated_at 2024_04_09;)

Aug 17, 2011, 12:00 PM

Apr 9, 2024, 12:00 PM

Sep 21, 2024, 3:00 AM

May 30, 2025, 12:04 AM

rules/emerging-policy.rules