Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🌐 HTTP connection to supicious domain - possible Linkedin phishing 🎣"; flow:to_server, stateless; http.host.raw; content:"linkedin"; nocase; content:!"LINKEDIN.BLOG"; endswith; nocase; content:!"linkedin.blue"; endswith; nocase; content:!".fastly.net"; endswith; nocase; content:!".edgesuite.net"; endswith; nocase; content:!"linkedin.cloud"; endswith; nocase; content:!"linkedin.co"; endswith; nocase; content:!"LINKEDIN.COM"; endswith; nocase; content:!"linkedin.do"; endswith; nocase; content:!"linkedin.fr"; endswith; nocase; content:!"linkedin.global"; endswith; nocase; content:!"linkedin.in"; endswith; nocase; content:!"linkedin.info"; endswith; nocase; content:!"linkedin.link"; endswith; nocase; content:!"LINKEDIN.NET"; endswith; nocase; content:!"linkedin.one"; endswith; nocase; content:!"LINKEDIN.ONL"; endswith; nocase; content:!"LINKEDIN.ONLINE"; endswith; nocase; content:!"LINKEDIN.ORG"; endswith; nocase; content:!"linkedin.photo"; endswith; nocase; content:!"linkedin.sex"; endswith; nocase; content:!"LINKEDIN.SITE"; endswith; nocase; content:!"linkedin.ski"; endswith; nocase; content:!"LINKEDIN.SPACE"; endswith; nocase; content:!"LINKEDIN.STORE"; endswith; nocase; content:!"LINKEDIN.TECH"; endswith; nocase; content:!"linkedin.top"; endswith; nocase; content:!"linkedin.voyage"; endswith; nocase; content:!"LINKEDIN.WEBSITE"; endswith; nocase; content:!"linkedin.work"; endswith; nocase; content:!"LINKEDIN.XYZ"; endswith; nocase; content:!"linkedin.audio"; endswith; nocase; content:!"LINKEDIN.BEST"; endswith; nocase; content:!"linkedin.biz"; endswith; nocase; content:!"linkedin.club"; endswith; nocase; content:!"linkedin.gay"; endswith; nocase; content:!"linkedin.alsace"; endswith; nocase; content:!"linkedin.app"; endswith; nocase; content:!"LINKEDIN.ASIA"; endswith; nocase; content:!"linkedin.dev"; endswith; nocase; content:!"linkedin.page"; endswith; nocase; content:!"linkedin.us"; endswith; nocase; content:!"linkedin.ca"; endswith; nocase; content:!"licdn.com"; endswith; nocase; content:!"linkedin-ei.com"; endswith; nocase; classtype:trojan-activity; metadata:created_at 2022_04_23, updated_at 2025_07_20; sid:3312672; rev:4;)