Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected NginxSpy Related Request (Inbound)"; flow:established,to_server; flowbits:set,ET.nginxspy; http.request_line; content:"GET / HTTP/1.0"; http.user_agent; content:"360|20|Safe|20|Browser|20|2.0"; bsize:20; fast_pattern; reference:url,jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_4_peter-jr-wei_en.pdf; classtype:trojan-activity; sid:2044122; rev:1; metadata:attack_target Web_Server, created_at 2023_02_06, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_06; target:dest_ip;)