Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to NOIP DynDNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_07_14;)