Versions (5)
Version DetailsCurrent
Rev: 1 • Mar 19, 2025, 4:38 PMTGI HUNT DS Metasploit Meterpreter HTTP Checkin
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TGI HUNT DS Metasploit Meterpreter HTTP Checkin"; flow:to_server,established; content:"RECV"; http_client_body; depth:4; fast_pattern; isdataat:!0,relative; urilen:22<>25,norm; content:"POST"; http_method; pcre:"/^\/[a-z0-9]{4,5}_[a-z0-9]{16}\/$/Ui"; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module/; sid:2610546; rev:1;)
Mar 19, 2025, 4:38 PM
Nov 28, 2025, 4:54 PM
Jul 29, 2025, 5:35 PM
Nov 28, 2025, 5:34 PM
hunting.rules