Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Possible GIFTEDVISITOR Activity - Ivanti Connect Secure"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/cav/client/visits"; fast_pattern; http.request_body; content:!"GIF8"; startswith; content:"GIF"; startswith; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})(?:\r\n)?$/R"; reference:url,www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/; classtype:command-and-control; sid:2050000; rev:2; metadata:affected_product Python, attack_target Client_and_Server, created_at 2024_01_11, deployment Perimeter, confidence Low, signature_severity Major, tag RAT, tag UTA0178, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_18;)