Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Download Request Containing Suspicious Filename - Crypted"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"crypted.exe"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ff823130efcdf8ab267cad92eb5b90d7; reference:md5,e953e6b3be506c5b8ca80fbcd79c065e; reference:md5,1e2fa2e401cd2295a03ba8d8d3d3698b; classtype:trojan-activity; sid:2022491; rev:3; metadata:created_at 2016_02_04, confidence Medium, signature_severity Major, updated_at 2020_06_23;)