Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.accountant) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".accountant"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023460; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, confidence Medium, signature_severity Minor, updated_at 2020_10_07;)