Versions (6)
Version DetailsCurrent
Rev: 2 • Sep 4, 2025, 8:46 AMTOOLS [PTsecurity] Sliver C2 HTTP Polling (gzip)
alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Polling (gzip)"; flow: established, from_server; http.header; content: "Content-Type|3A| application/x-gzip|0d 0a|"; nocase; content: !"Content-Encoding"; nocase; http.response_body; content: "|1f 8b|"; depth: 2; flowbits: isset, Sliver.HTTP.Encoders; threshold: type limit, track by_src, count 1, seconds 300; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008547; rev: 2;)
Sep 4, 2025, 8:46 AM
Sep 4, 2025, 8:46 AM
Oct 16, 2025, 10:34 AM
Oct 16, 2025, 10:34 AM
rules/ptopen-tools.rules