Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/Hack Browser Data Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.content_type; content:"multipart/form-data|3b 20|boundary="; bsize:90; pcre:"/^multipart/form-data\x3b\x20boundary=[a-f0-9]{60}$/"; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|"; content:"_=_"; distance:0; fast_pattern; content:"_=_"; distance:0; content:"_=_"; distance:0; content:"_=_"; distance:0; content:".json|22 0d 0a|"; distance:0; reference:md5,4a13256c1c9701146ad9ce6682b1a12e; classtype:command-and-control; sid:2033899; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_03;)