Rule History

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Valve Steam Store Domain in TLS SNI (store .steampowered .com)"; flow:established,to_server; tls.sni; bsize:24; content:"store.steampowered.com"; fast_pattern; reference:url,community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271; classtype:misc-activity; sid:2063969; rev:5; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_01; target:src_ip;)