Rule History

alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:6; content:"/"; distance:1; within:2; content:"/"; distance:1; within:1; content:"/"; distance:1; within:1; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/"; http.host.raw; pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}$/i"; http.start; content:"|20|HTTP/1.1|0d 0a|User-Agent"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020369; rev:7; metadata:created_at 2015_02_05, performance_impact Significant, signature_severity Major, updated_at 2024_04_08;)