Back to Rule

Rule History

SID: 10011449 • Source: ptrules/open

Versions (4)

Rev: 6
Dec 4, 2025, 9:34 PM
Current
Rev: 6
Oct 16, 2025, 10:34 AM
Archived
Rev: 4
Oct 7, 2025, 5:34 PM
Archived
Rev: 2
Dec 3, 2024, 4:43 PM
Archived

Version Details

Rev: 2Nov 28, 2024, 12:14 PM

SUSPICIOUS [PTsecurity] Possible SteganoAmor Operation

alert http any any -> any any (msg:"SUSPICIOUS [PTsecurity] Possible SteganoAmor Operation"; flow:established, to_server; http.uri; urilen:>100; content:".doc"; nocase; endswith; content:"_"; content:"/"; pcre:"/^[a-z]{40,}[_]{2,}[a-z]{10,}([_]{2,}[a-z]{10,})?\.[dD][oO][cC]$/RU"; http.method; content:"GET"; http.header; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate"; content:"Connection: Keep-Alive"; content:!"Referer"; reference:url, https://app.any.run/tasks/aa5684e6-a51b-4667-9202-c128478db7a4; reference:url, rules.ptsecurity.com; classtype:misc-activity; sid:10011449; rev:2;)

Nov 28, 2024, 12:14 PM

Nov 28, 2024, 12:14 PM

Dec 3, 2024, 4:43 PM

Dec 3, 2024, 4:43 PM

May 30, 2025, 5:56 PM