Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 👀 geoplugin.net JSON lookup public IP address from local network - Used by Remcos RAT - Possible Leak 🚱"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"geoplugin.net"; fast_pattern; nocase; http.method; content:"GET"; http.uri; content:"/json.gp"; reference:url,https://blog.talosintelligence.com/threat-roundup-1021-1028-2/; metadata:created_at 2024_03_03, updated_at 2024_08_08; sid:3301153; rev:3; classtype:external-ip-check;)