Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LeftHook Stealer - CnC Response (get_socket)"; flow:established,to_client; http.content_len; byte_test:0,<=,50,0,string,dec; http.header; content:"Connection|3a 20|keep-alive|0d 0a|"; content:"Content-Language|3a 20|ru|0d 0a|"; http.response_body; content:"|7b 22|address|22 3a 22|"; startswith; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}/R"; content:"|22 2c 22|collect|5f|data|22 3a|"; fast_pattern; pcre:"/^(?:false|true)\x7d$/R"; reference:url,twitter.com/crep1x/status/1648063045808148481; reference:md5,61bb691f0c875d3d82521a6fa878e402; classtype:command-and-control; sid:2045006; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_04_18, deployment Perimeter, malware_family Win32_LeftHook, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_28;)