Skip to content

Instantly share code, notes, and snippets.

@fox-srt
Created February 26, 2019 12:26
Show Gist options
  • Save fox-srt/6761b07f6fe7b8648de2debe5491c044 to your computer and use it in GitHub Desktop.
Save fox-srt/6761b07f6fe7b8648de2debe5491c044 to your computer and use it in GitHub Desktop.
IDS Signature to detect the extraneous space in Cobalt Strike < 3.13
alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \
flow:to_client; \
content:"HTTP/1.1 200 OK |0d0a|"; fast_pattern; depth:18; \
content:"Date: "; \
pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \
threshold:type limit, track by_dst, count 1, seconds 600; \
classtype:trojan-activity; priority:2; \
sid:21002217; rev:3;)
@fox-srt
Copy link
Author

fox-srt commented Apr 30, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment