Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/en/?2"; startswith; fast_pattern; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; http.request_body; content:"f="; startswith; content:"&c="; distance:0; content:"&u="; distance:0; content:"&v="; distance:0; content:"&s="; distance:0; content:"&mi="; distance:0; content:"&t="; distance:0; content:"&txt="; distance:0; content:"&e=EOF"; endswith; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,2d459929135993959cacceb0dd81a813; reference:md5,d01bcca6255a4f062fc59a014f407532; classtype:command-and-control; sid:2031418; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_12_16;)