Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.pw domain with direct request/fake browser (multiple families flowbit set)"; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".pw"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/i"; classtype:trojan-activity; sid:2018571; rev:4; metadata:created_at 2014_06_17, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_30;)