Rule History

alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2. HTTP Polling. Encoders FB"; flow: established, to_server; http.method; content: "GET"; http.uri; pcre: "/\?[a-z_]=[a-z0-9_]{7,14}$/U"; http.header.raw; content: "Cookie"; nocase; content: "Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.cookie; pcre: "/^[a-zA-Z0-9\-]*?=[0-9a-f]{32}$/C"; flowbits: set, Sliver.HTTP.Encoders; noalert; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008545; rev: 3;)