Rule History

SID: 10008452 • Source: ptrules/open

Versions (6)

Version DetailsCurrent

Rev: 2 • Oct 9, 2025, 2:49 PM

Message:

REMOTE [PTsecurity] Possible PupyRAT

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Possible PupyRAT"; flow: established, to_client; content: "200"; http_stat_code; content: "Content-Type: text/html|3b| charset=utf-8"; http_header; content: "Connection: keep-alive"; nocase; http_header; content: "X-Poll-Required: true"; http_header; fast_pattern; content: "Server:"; http_header; content: "Content-Length:"; http_header; pcre: "/^(?:[A-Za-z0-9\-\_]{4}){10,}(?:[A-Za-z0-9\-\_]{2}[AEIMQUYcgkosw048]|[A-Za-z0-9\-\_][AQgw])$|(?:[A-Za-z0-9\-\_]{4}){11,}$/Q"; reference: url, https://github.com/n1nj4sec/pupy/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008452; rev: 2;)

Created:

Oct 9, 2025, 2:49 PM

Updated:

Oct 9, 2025, 2:49 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Oct 16, 2025, 10:34 AM

Filename:

rules/ptopen-malware.rules