Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CHAOS RAT/AlfaC2 Client Checkin"; flow:established,to_server; http.uri; bsize:7; content:"/client"; http.user_agent; content:"Go-http-client/"; startswith; http.header_names; content:"|0d 0a|X-Client|0d 0a|"; fast_pattern; http.header; content:"Upgrade|3a 20|websocket|0d 0a|"; content:"X-Client|3a 20|"; pcre:"/^(?:[a-f0-9]{2}\x3a){5}[a-f0-9]{2}[\r\n]+$/Rm"; http.cookie; content:"jwt="; startswith; content:".eyJhdXRob3JpemVkIj"; distance:0; content:!"|3b|"; distance:0; reference:md5,d0ea84204096109f18a2201fae1c4f30; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2046872; rev:1; metadata:attack_target Client_and_Server, created_at 2023_07_20, deployment Perimeter, malware_family CHAOS, performance_impact Low, confidence High, signature_severity Critical, tag RemoteAccessTool, updated_at 2023_11_27; target:src_ip;)