Versions (6)
Version DetailsCurrent
Rev: 3 • Mar 16, 2022, 12:00 PMET HUNTING PNG image exfiltration over raw TCP
alert tcp $HOME_NET ![80,8080] -> $EXTERNAL_NET any (msg:"ET HUNTING PNG image exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,160; dsize:>11; content:"|89|PNG|0d 0a 1a 0a 00 00 00 0d|IHDR|00 00|"; startswith; flowbits:set,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; classtype:misc-activity; sid:2035476; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_23, reviewed_at 2025_04_17;)
Mar 16, 2022, 12:00 PM
May 23, 2022, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 4, 2025, 9:34 PM
rules/emerging-hunting.rules