Rule History

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed"; flow:established,to_client; tls.certs; content:"|31 0b 30 09 06 03 55 04 06 13 02|US|31 11 30 0f 06 03 55 04 08 13 08|Illinois|31 0f 30 0d 06 03 55 04 07 13 06|Peoria|31 09 30 07 06 03 55 04 09 13 00 31 0d 30 0b 06 03 55 04 11 13 04|"; fast_pattern; pcre:"/^\d{4}/R"; content:"|31 0b 30 09 06 03 55 04 0a 13 02|co"; nocase; within:13; content:"|06 03 55 04 03|"; distance:4; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037412; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, malware_family Sliver, malware_family Havoc, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_01_03;)