Rule History

alert tcp-pkt any any -> $SMTP_SERVERS [25,587] (msg:"ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M7"; flow:stateless,to_server; flags:S; tcp.hdr; content:"|ed 9c|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; reference:url,www.mandiant.com/resources/blog/barracuda-esg-exploited-globally; classtype:command-and-control; sid:2046279; rev:2; metadata:affected_product Barracuda_ESG, attack_target SMTP_Server, created_at 2023_06_15, deployment Perimeter, deployment Internal, deprecation_reason False_Positive, malware_family SEASPY, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_06_21; target:dest_ip;)