detection rulesuricata

C2 VoidLink agent WebSocket channel (GET /ws/agent)

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataC2 VoidLink agent WebSocket channel (GET /ws/agent)

alert http $HOME_NET any -> any 3100 (msg:"C2 VoidLink agent WebSocket channel (GET /ws/agent)"; \
  flow:to_server,established; \
  http.method; content:"GET"; \
  http.uri; content:"/ws/agent?token="; \
  http.header; content:"Upgrade"; content:"websocket"; distance:0; within:30; \
  classtype:trojan-activity; sid:1000231008; rev:2; \
  metadata:created_at 2026-06-07;)

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Egress · TCP/3100 · SID 1000231008
After enrolment the agent upgrades to a persistent WebSocket for tasking. The URI carries a `?token=` query parameter holding the enrollment credential, which distinguishes it from generic WebSocket traffic.
2026-06-10