Back to Rule

Rule History

SID: 10011372 • Source: ptrules/open

Versions (4)

Rev: 5
Dec 4, 2025, 9:34 PM
Current
Rev: 5
Oct 16, 2025, 10:34 AM
Archived
Rev: 4
Oct 7, 2025, 5:34 PM
Archived
Rev: 2
Dec 3, 2024, 4:43 PM
Archived

Version Details

Rev: 4Apr 18, 2025, 2:34 PM

SUSPICIOUS [PTsecurity] Possible SteganoAmor Operation

alert http any any -> any any (msg:"SUSPICIOUS [PTsecurity] Possible SteganoAmor Operation"; flow:established, to_server; http.uri; urilen:>100; content:".doc"; nocase; offset:32; content:"_"; content:"/"; pcre:"/^[a-z]{30,}[_]{2,}[a-z]{10,}([_]{2,}[a-z]{10,})?\.[dD][oO][cC](\?|$)/RU"; http.method; content:"HEAD"; http.header; content:"Connection: Keep-Alive"; content:"User-Agent: Microsoft Office"; reference:url, https://tria.ge/240517-b29pwsbd2w/behavioral1; reference:url, rules.ptsecurity.com; classtype:misc-activity; sid:10011372; rev:4;)

Apr 18, 2025, 2:34 PM

Apr 18, 2025, 2:34 PM

Oct 7, 2025, 5:34 PM

Oct 7, 2025, 5:34 PM

Oct 10, 2025, 6:36 PM

rules/ptopen-info.rules