Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA399/Sidewinder Activity Payload Request M3, Microsoft Word UA Request for .rtf"; flow:established,to_server; http.uri; content:"|2e|rtf"; endswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; nocase; http.user_agent; content:"Microsoft|20|Office|20|Word"; startswith; fast_pattern; classtype:command-and-control; sid:2055080; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_08_08, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag TA399, updated_at 2024_09_26;)