🐾 - 🚨 Suspicious User-Agent - Possible Suo5 HTTP proxy tunneling tool 🙈 - Suricata Rule 3321451 (pawpatrules)

🐾 - 🚨 Suspicious User-Agent - Possible Suo5 HTTP proxy tunneling tool 🙈

SID: 3321451Rev: 119 views

Sourcepawpatrules

CreatedJuly 14, 2025

UpdatedJuly 14, 2025

Classificationcommand-and-control

alert http any any -> any any (msg:"🐾 - 🚨 Suspicious User-Agent - Possible Suo5 HTTP proxy tunneling tool 🙈"; flow:to_server, stateless; http.user_agent; content:"|4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 36 2e 30 3b 20 4e 65 78 75 73 20 35 20 42 75 69 6c 64 2f 4d 52 41 35 38 4e 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 31 30 39 2e 31 2e 32 2e 33|"; reference:url,https://www.synacktiv.com/en/publications/open-source-toolset-of-an-ivanti-csa-attacker#suo5; reference:url,https://github.com/zema1/suo5/tree/main; reference:url,https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf; reference:url,https://attack.mitre.org/techniques/T1572/; target:src_ip; metadata:created_at 2025_07_14, updated_at 2025_07_14, signature_severity Major, attack_target Client_and_Server, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1572, mitre_technique_name Protocol_Tunneling; sid:3321451; rev:1; classtype:command-and-control;)

References

url	https://www.synacktiv.com/en/publications/open-source-toolset-of-an-ivanti-csa-attacker#suo5
url	https://github.com/zema1/suo5/tree/main
url	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
url	https://attack.mitre.org/techniques/T1572/

Metadata

created at2025_07_14

updated at2025_07_14

signature severityMajor

attack targetClient_and_Server

mitre tactic idTA0011

mitre tactic nameCommand_and_Control

mitre technique idT1572

mitre technique nameProtocol_Tunneling

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!