Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Observed Mirai/Gafgyt Post Brute Force Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fuckyou/xd."; startswith; fast_pattern; http.user_agent; content:"wget/"; startswith; nocase; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; threshold:type both,track by_src, count 30, seconds 60; reference:url,isc.sans.edu/diary/rss/29304; reference:md5,512d5c2ba6b14f732061fc2f28a72f72; classtype:misc-attack; sid:2042956; rev:1; metadata:attack_target Linux_Unix, created_at 2022_12_16, deployment Perimeter, malware_family Mirai, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_12_16; target:src_ip;)