Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LeftHook Stealer CnC Command - get_socket (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.connection; content:"keep-alive"; http.content_len; content:"49"; bsize:2; http.header; content:"Origin: chrome-extension://"; pcre:"/^(?:[a-z]{32})\x0d\x0a/R"; http.request_body; bsize:49; content:"action=get_socket&botID="; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9]{25}$/R"; reference:md5,61bb691f0c875d3d82521a6fa878e402; reference:url,twitter.com/Jane_0sint/status/1648075834702413830; classtype:trojan-activity; sid:2045003; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_18, malware_family Win32_LeftHook, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_18;)