ET HUNTING Terse Named Filename EXE Download - Possibly Hostile - Suricata Rule 2020202 (et/open)

ET HUNTING Terse Named Filename EXE Download - Possibly Hostile

SID: 2020202Rev: 50 viewsHistory

Sourceet/open

CreatedJanuary 16, 2015

UpdatedMay 24, 2023

Classificationsuspicious-filename-detect

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Terse Named Filename EXE Download - Possibly Hostile"; flow:established,to_client; http.header; content:"filename="; content:".exe"; within:8; fast_pattern; pcre:"/filename\x3d[\x27\x22][a-z0-9]{1,3}\x2Eexe/i"; classtype:suspicious-filename-detect; sid:2020202; rev:5; metadata:attack_target Client_and_Server, created_at 2015_01_16, deployment Perimeter, deployment SSLDecrypt, deployment alert_only, performance_impact Moderate, confidence Low, signature_severity Informational, updated_at 2023_05_24; target:dest_ip;)

Metadata

attack targetClient_and_Server

created at2015_01_16

deploymentalert_only

performance impactModerate

confidenceLow

signature severityInformational

updated at2023_05_24

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!