Versions (2)
Version DetailsCurrent
Rev: 5 • Jan 16, 2015, 12:00 PMET HUNTING Terse Named Filename EXE Download - Possibly Hostile
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Terse Named Filename EXE Download - Possibly Hostile"; flow:established,to_client; http.header; content:"filename="; content:".exe"; within:8; fast_pattern; pcre:"/filename\x3d[\x27\x22][a-z0-9]{1,3}\x2Eexe/i"; classtype:suspicious-filename-detect; sid:2020202; rev:5; metadata:attack_target Client_and_Server, created_at 2015_01_16, deployment Perimeter, deployment SSLDecrypt, deployment alert_only, performance_impact Moderate, confidence Low, signature_severity Informational, updated_at 2023_05_24; target:dest_ip;)
Jan 16, 2015, 12:00 PM
May 24, 2023, 12:00 PM
Jan 16, 2015, 12:00 PM
May 31, 2024, 9:00 PM
rules/emerging-hunting.rules