Rule History

alert http any any -> any any (msg: "TOOLS [PTsecurity] Sliver C2 HTTP Polling (English)"; flow: established, from_server; http.header; content: "Content-Type|3A| text/plain|3B| charset=utf-8|0d 0a|"; nocase; content: !"Content-Encoding"; nocase; http.response_body; pcre: "/^(?:[A-Z]{2,20}\s?){40,}$/Q"; flowbits: isset, Sliver.HTTP.Encoders; threshold: type limit, track by_src, count 1, seconds 300; reference: url, github.com/BishopFox/sliver; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008548; rev: 3;)