Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|20|MSIE|20|"; nocase; fast_pattern; content:!"Mozilla/4.0 (compatible|3b 20|MSIE|20|6.0|3b 20|DynGate)"; content:!"Windows Live Messenger"; content:!"MS Web Services Client Protocol"; http.host; content:!"groove.microsoft.com"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.request_body; content:!"grooveDNS|3a|//"; http.header_names; content:!"X-Requested-With"; nocase; content:!"Accept-Encoding"; content:!"Referer"; classtype:bad-unknown; sid:2018358; rev:11; metadata:created_at 2014_04_04, performance_impact Significant, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_22;)