Rule History

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed"; flow:established,to_client; tls.certs; content:"|31 0b 30 09 06 03 55 04 06 13 02|US|31 13 30 11 06 03 55 04 08 13 0a|California|31 16 30 14 06 03 55 04 07 13 0d|San Francisco|31 1b 30 19 06 03 55 04 09 13 12|Golden Gate Bridge|31 0d 30 0b 06 03 55 04 11 13 04|"; fast_pattern; pcre:"/^\d{4}[01]/R"; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037287; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, malware_family Sliver, malware_family Havoc, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_01_03;)