Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"http"; pcre:"/\/[0-9A-Za-z]{8,13}\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; fast_pattern; http.host; content:!".freeip.com"; http.content_len; byte_test:0,<,2000,0,string,dec; http.request_body; pcre:"/(?:Q(?:k(?:MIdh|UMcR)|0IPdR)|(?:DQg91|FRghw)F|(?:NCD3U|VGCHA)X|C(?:Qwh2E|RQxxF)|J(?:DCHYT|FDHEW)|R(?:UYIcB|kIJcR)|GQglxE|ZCCXEQ)/"; reference:md5,2933e342334bdb24ba99f70c15506294; reference:md5,e4f16cbac43141987a39f9841642fe90; reference:url,twitter.com/ffforward/status/1437688494017728516; reference:url,twitter.com/ffforward/status/1437473409542262795; classtype:trojan-activity; sid:2033939; rev:6; metadata:created_at 2021_09_13, malware_family SQUIRRELWAFFLE, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_10_04;)