I was hacked a while ago. I'm not running nested routers, and have my first IDS on-line.

Frequently I'm getting Alerts from that system - All Valve.

Either I've been hacked again this quickly, or this is normal traffic/behavior?


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Steam HTTP Client User-Agent"; flow:established,to_server; http.user_agent; content:"Valve/Steam HTTP Client"; depth:23; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2028651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_10_16;)



Payload

00000000 47 45 54 20 2f 32 30 34 20 48 54 54 50 2f 31 2e GET./204.HTTP/1.
00000010 31 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 1..Cache-Control
00000020 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 48 6f 73 74 :.no-cache..Host
00000030 3a 20 74 65 73 74 2e 73 74 65 61 6d 70 6f 77 65 :.test.steampowe
00000040 72 65 64 2e 63 6f 6d 0d 0a 41 63 63 65 70 74 3a red.com..Accept:
00000050 20 74 65 78 74 2f 68 74 6d 6c 2c 2a 2f 2a 3b 71 .text/html,*/*;q
00000060 3d 30 2e 39 0d 0a 61 63 63 65 70 74 2d 65 6e 63 =0.9..accept-enc
00000070 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 69 64 65 6e oding:.gzip,iden
00000080 74 69 74 79 2c 2a 3b 71 3d 30 0d 0a 61 63 63 65 tity,*;q=0..acce
00000090 70 74 2d 63 68 61 72 73 65 74 3a 20 49 53 4f 2d pt-charset:.ISO-
000000a0 38 38 35 39 2d 31 2c 75 74 66 2d 38 2c 2a 3b 71 8859-1,utf-8,*;q
000000b0 3d 30 2e 37 0d 0a 75 73 65 72 2d 61 67 65 6e 74 =0.7..user-agent
000000c0 3a 20 56 61 6c 76 65 2f 53 74 65 61 6d 20 48 54 :.Valve/Steam.HT
000000d0 54 50 20 43 6c 69 65 6e 74 20 31 2e 30 0d 0a 0d TP.Client.1.0...
000000e0 0a .