Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA401/AridViper APT Micropsia Variant Related Activity (POST)"; flow:established,to_server; urilen:>30; http.method; content:"POST"; http.uri; content:!"|2e|"; http.content_type; bsize:48; content:"application/x-www-form-urlencoded|3b 20|charset=utf-8"; http.accept_enc; bsize:4; content:"UTF8"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"Ace="; startswith; fast_pattern; reference:md5,36e291abe37fff7868c5ca7d4105c86b; reference:url,www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/; classtype:trojan-activity; sid:2052361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_05_02, deployment Perimeter, malware_family AridViper, malware_family TA401, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_05_02; target:src_ip;)