Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mokes CnC Keep-Alive"; flow:established,to_server; urilen:3; threshold: type both, count 9, seconds 60, track by_src; http.method; content:"GET"; http.uri; content:"/v1"; depth:3; fast_pattern; http.header; content:"Accept"; content:"User-Agent|3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/73503/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/; classtype:command-and-control; sid:2022477; rev:3; metadata:created_at 2016_02_01, signature_severity Major, updated_at 2020_06_23;)