Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5CONNECT Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5CONNECT|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037225; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_11, reviewed_at 2024_01_08;)