Rule History

SID: 2017947 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 4 • Jan 9, 2014, 12:00 PM

Message:

ET DELETED Possible Styx Kein Landing URI Struct

Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host|3a 20|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)*?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:4; metadata:created_at 2014_01_09, signature_severity Unknown, updated_at 2019_07_26;)

Created:

Jan 9, 2014, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-deleted.rules