alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; http_uri; distance:1; within:8; fast_pattern; isdataat:!1,relative; content:!"download.bitdefender.com"; http_host; isdataat:!1,relative; content:!".appspot.com"; http_host; isdataat:!1,relative; content:!"kaspersky.com"; http_host; isdataat:!1,relative; content:!".sophosxl.net"; http_host; isdataat:!1,relative; content:!"koggames"; http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; http_header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:10; metadata:created_at 2014_11_14, former_category CURRENT_EVENTS, updated_at 2020_09_16;)

Added 2020-11-24 17:54:50 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; http_uri; distance:1; within:8; fast_pattern; isdataat:!1,relative; content:!"download.bitdefender.com"; http_host; isdataat:!1,relative; content:!".appspot.com"; http_host; isdataat:!1,relative; content:!"kaspersky.com"; http_host; isdataat:!1,relative; content:!".sophosxl.net"; http_host; isdataat:!1,relative; content:!"koggames"; http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; http_header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:10; metadata:created_at 2014_11_14, updated_at 2020_09_16;)

Added 2020-09-16 18:29:29 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; http_uri; distance:1; within:8; fast_pattern; isdataat:!1,relative; content:!"download.bitdefender.com"; http_host; isdataat:!1,relative; content:!".appspot.com"; http_host; isdataat:!1,relative; content:!"kaspersky.com"; http_host; isdataat:!1,relative; content:!".sophosxl.net"; http_host; isdataat:!1,relative; content:!"koggames"; http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; http_header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:10; metadata:created_at 2014_11_14, updated_at 2019_09_28;)

Added 2019-10-01 08:28:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; http_uri; distance:1; within:8; fast_pattern; isdataat:!1,relative; content:!"download.bitdefender.com"; http_host; isdataat:!1,relative; content:!".appspot.com"; http_host; isdataat:!1,relative; content:!"kaspersky.com"; http_host; isdataat:!1,relative; content:!".sophosxl.net"; http_host; isdataat:!1,relative; content:!"koggames"; http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; http_header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:10; metadata:created_at 2014_11_14, updated_at 2019_09_28;)

Added 2019-10-01 04:22:35 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; http_uri; distance:1; within:8; fast_pattern; isdataat:!1,relative; content:!"download.bitdefender.com"; http_host; isdataat:!1,relative; content:!".appspot.com"; http_host; isdataat:!1,relative; content:!"kaspersky.com"; http_host; isdataat:!1,relative; content:!".sophosxl.net"; http_host; isdataat:!1,relative; content:!"koggames"; http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; http_header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:10; metadata:created_at 2014_11_14, updated_at 2017_02_03;)

Added 2018-09-13 19:49:49 UTC


Added 2018-09-13 17:59:17 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; content:!".appspot.com|0d 0a|"; http_header; nocase; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; content:!"kaspersky.com|0d 0a|"; http_header; content:!".sophosxl.net"; http_header; content:!"koggames"; http_header; classtype:bad-unknown; sid:2019714; rev:8; metadata:created_at 2014_11_14, updated_at 2017_02_03;)

Added 2017-08-07 21:14:01 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; content:!".appspot.com|0d 0a|"; http_header; nocase; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; content:!"kaspersky.com|0d 0a|"; http_header; content:!".sophosxl.net"; http_header; content:!"koggames"; http_header; classtype:bad-unknown; sid:2019714; rev:8;)

Added 2017-05-01 16:57:59 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; content:!".appspot.com|0d 0a|"; http_header; nocase; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; content:!"kaspersky.com|0d 0a|"; http_header; content:!".sophosxl.net"; http_header; classtype:bad-unknown; sid:2019714; rev:7;)

Added 2017-02-03 17:09:19 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; content:!".appspot.com|0d 0a|"; http_header; nocase; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; content:!"kaspersky.com|0d 0a|"; http_header; classtype:bad-unknown; sid:2019714; rev:6;)

Added 2017-01-03 18:31:35 UTC

Hello. Please consider rule modification. FP for Sophos AV

Sophos SXL detected. SXL stands for Sophos Extensible List. It is used for retrieving data from a remote computer. For more details please refer to https://community.sophos.com/kb/zh-cn/117936

PCAP:

_____________________________________________

PUT /C:%5CWindows%5CSysWOW64%5Ccmd.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Sophos Telemetry/1.0 Content-Length: 1064 Host: xxxxxxxxxxxxxxxxxxxx.5.samples.sophosxl.net

HTTP/1.1 200 OK Content-Length: 0 Connection: keep-alive Date: Thu, 02 Feb 2017 21:29:18 GMT x-amz-expiration: expiry-date="Sat, 04 Feb 2017 00:00:00 GMT", rule-id="DeleteAfter1day" ETag: "xxxxxxxxxx" Server: AmazonS3? X-Cache: Miss from cloudfront Via: 1.1 6e52c2b5ee04b03daebde778694a698a.cloudfront.net (CloudFront?) X-Amz-Cf-Id: xxxxxxxxxx==

_______________________________________________

SXL lookup types

The protocols that SXL uses vary depending on the version and type of the lookup that is carried out, as detailed in the following table:

.... .... ...

5.samples.sophosxl.net HTTP SXL2 File Submissions

.........

Thanks , Regards

-- MaksymParpaley - 2017-02-03

Thank you Maksym, we'll get this fixed up today!

-- DarienH - 2017-02-03


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; content:!".appspot.com|0d 0a|"; http_header; nocase; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; classtype:bad-unknown; sid:2019714; rev:5;)

Added 2016-08-24 18:19:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; classtype:bad-unknown; sid:2019714; rev:4;)

Added 2016-07-12 22:51:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; classtype:bad-unknown; sid:2019714; rev:3;)

Added 2014-11-14 18:33:16 UTC


Topic revision: r3 - 2017-02-03 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats