Rule History

alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Pikabot Related Activity M5 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/"; startswith; pcre:"/^(?:(admin|apps|api))\.[^\r\n]+\.(?:(list|test|listGroups|deny|request|removeGroup|invalidate))$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|"; startswith; content:!"Referer"; http.request_body; content:"|00 00|"; startswith; content:"|00 00 12 91 00 00 16 87 00 00 00|"; fast_pattern; distance:2; within:11; reference:md5,62a72000766f207bcadb39f449034fc0; classtype:trojan-activity; sid:2050874; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_02_14, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_14; target:src_ip;)