Rule History

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; http.header; content:"TE|3a 20|deflate,gzip|3b|q=0.3|0d 0a|Connection|3a 20|TE, close|0d 0a|Host|3a 20|"; depth:53; content:"User-Agent|3a 20|"; within:100; http.user_agent; content:!"libwww-perl/"; http.request_line; content:"GET //"; fast_pattern; startswith; http.header_names; bsize:26; content:"|0d 0a|TE|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; threshold:type threshold, track by_dst, count 10, seconds 20; classtype:attempted-recon; sid:2013416; rev:13; metadata:created_at 2011_08_17, performance_impact Moderate, confidence High, signature_severity Informational, updated_at 2024_04_09;)