Versions (6)
Version DetailsCurrent
Rev: 2 • Sep 4, 2025, 8:46 AMTOOLS [PTsecurity] Sliver C2 HTTP Polling (Base64gzip)
alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Polling (Base64gzip)"; flow: established, from_server; http.header; content: "Content-Type|3A| text/plain|3B| charset=utf-8|0d 0a|"; nocase; content: !"Content-Encoding"; nocase; http.response_body; content: "eTKfaaaaaaac"; depth: 12; content: "aaaa"; endswith; flowbits: isset, Sliver.HTTP.Encoders; threshold: type limit, track by_src, count 1, seconds 300; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008546; rev: 2;)
Sep 4, 2025, 8:46 AM
Sep 4, 2025, 8:46 AM
Oct 16, 2025, 10:34 AM
Oct 16, 2025, 10:34 AM
rules/ptopen-tools.rules