ET HUNTING Suspicious HTTP Server Value in Response (Apache \r\n)

7.0.35.0SID: 2049205Rev: 2Enabled13 views
Sourceet/open
Fileemerging-hunting.rules
CreatedNovember 15, 2023
UpdatedApril 18, 2024
Classificationmisc-activity
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTTP Server Value in Response (Apache \r\n)"; flow:established,to_client; http.server; bsize:11; content:"Apache|20 5c|r|5c|n"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.fox-it.com/2023/11/15/the-spelling-police-searching-for-malicious-http-servers-by-identifying-typos-in-http-responses; classtype:misc-activity; sid:2049205; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_11_15, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_18;)

Metadata

attack targetClient_Endpoint
created at2023_11_15
deploymentSSLDecrypt
confidenceMedium
signature severityInformational
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_04_18

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!