Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
IDS Signature to detect the extraneous space in Cobalt Strike < 3.13
alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \
flow:to_client; \
content:"HTTP/1.1 200 OK |0d0a|"; fast_pattern; depth:18; \
content:"Date: "; \
pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \
threshold:type limit, track by_dst, count 1, seconds 600; \
classtype:trojan-activity; priority:2; \
sid:21002217; rev:3;)

This comment has been minimized.

Copy link
Owner Author

fox-srt commented Apr 30, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.