Rule History

alert http any any -> any any (msg: "LOADER [PTsecurity] SteganoAmor Operation"; flow: established, to_server; http.uri; urilen: >100; content: ".doc"; nocase; offset: 32; content: "_"; content: "/"; pcre: "/^[@a-z]{30,}[_]{2,}[@a-z]{10,}([_]{2,}[@a-z]{10,})?\.[dD][oO][cC](\?|$)/RU"; http.method; content: "HEAD"; http.header; content: "Connection: Keep-Alive"; content: "User-Agent: Microsoft Office"; reference: url, tria.ge/240517-b29pwsbd2w/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011372; rev: 5;)