Rule History

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,to_client; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, confidence Medium, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2024_04_04;)