Rule History

alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,to_client; tls.certs; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, confidence Medium, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2024_04_04;)