Rule History

SID: 2051909 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 1 • Apr 3, 2024, 12:00 PM

Message:

ET MALWARE Win32/FireStealer Related Server Response

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/FireStealer Related Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"nginx"; bsize:5; http.content_type; content:"application/json|3b 20|charset=utf-8"; bsize:31; file.data; content:"|7b 22|status|22 3a 20 22|Success|22 2c 20 22|k|22 3a 20 22|"; startswith; fast_pattern; content:"|22 2c 20 22|c|22 3a 20|"; distance:0; reference:md5,03f80949b6a0d5148c4e0d0557175131; classtype:trojan-activity; sid:2051909; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2024_04_03, deployment Perimeter, malware_family Win32_FireStealer, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_03; target:dest_ip;)

Created:

Apr 3, 2024, 12:00 PM

Updated:

Apr 3, 2024, 12:00 PM

DB Created:

Apr 10, 2024, 9:04 PM

DB Updated:

Aug 12, 2025, 9:34 PM

Filename:

rules/emerging-malware.rules