ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC - Suricata Rule 2012767 (et/open)

ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC

SID: 2012767Rev: 110 viewsHistory

Sourceet/open

CreatedMay 3, 2011

UpdatedJuly 26, 2019

Classificationcommand-and-control

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"HttpAddRequestHeader"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012767; rev:11; metadata:created_at 2011_05_03, confidence Medium, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)

References

url	sans.org/reading_room/whitepapers/malicious/rss/_33649

Metadata

created at2011_05_03

confidenceMedium

signature severityUnknown

tagDescription_Generated_By_Proofpoint_Nexus

updated at2019_07_26

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!