Rule History

alert http any any -> any any (msg: "BACKDOOR [PTsecurity] NGLite/NKAbuse"; flow: established, to_server; content: "POST"; http_method; content: "User-Agent: Go-http-client/"; http_header; content: "{|22|id|22|:|22|nkn-sdk-go|22|,|22|method|22|:|22|getwsaddr|22|,|22|params|22|:{|22|address|22|:|22|__"; http_client_body; depth: 63; content: !"Referer|3a|"; http_header; reference: url, https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006871; rev: 3;)