Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miuref/Boaxxe Checkin"; flow:to_server,established; urilen:>400; http.method; content:"GET"; http.uri.raw; content:"%2b"; fast_pattern; content:"%2f"; content:!"|2e|"; content:!"|3f|"; content:!"|26|"; pcre:"/^\/(?:[a-zA-Z0-9]|%2[fb]){400,}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/01/17/boaxxe-adware-a-good-advert-sells-the-product-without-drawing-attention-to-itself-part-2/; reference:url,blogs.technet.com/b/mmpc/archive/2014/05/13/msrt-may-2014-miuref.aspx; classtype:pup-activity; sid:2018582; rev:12; metadata:created_at 2013_11_22, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_24;)