Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Muhstik Botnet Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; pcre:"/^(?:curl|wget)/i"; http.uri; content:"/dk"; startswith; fast_pattern; pcre:"/^[0-9]{2}$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/; reference:md5,898b3dc58bc5d05d3034a1c259b5a915; classtype:trojan-activity; sid:2033916; rev:1; metadata:created_at 2021_09_09, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_09;)