Further verification and vallidation

Morning team Emerging threats

can please advise if there is another software that can verify and validate this below signature rule as an alert, nexsus and malware byte scans have proven futile in raising alerts of this rule except for security onion


Appreciate your advise and assistance


Hi @prime69!

Thanks for reaching out! This signature is basically just looking for HTTP requests that download an executable with a suspicious filename which is a little generic and makes the rule more prone to false positives. This link shows some examples of true positives that will trigger the signature.

Here is a breakdown of what the



  1. [A-Z]? - The executable name can start with a capital letter but it is not required.
  2. [a-z]{1,3} - There must be at least three consecutive lowercase characters.
  3. [0-9]? - The executable name can end in a digit but it is not required.
  4. \.exe$ - The filename/url must end .exe

If you have an example URL or pcap you can share Iā€™m happy to take a look and make any adjustments to the signature if we need to!


1 Like

Thanks Isaac

for the insight, apologise i keep forgetting to add the pcap

will make sure i add it for the next alert


1 Like