""ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139""
SID: 2000565
Revision: 9
Class Type: suspicious-login
Metadata: created_at 2010_07_30, updated_at 2010_11_04
Reference:
Protocol: tcp
Source Network: any
Source Port: any
Destination Network: $HOME_NET
Destination Port: 139
Flow: to_server,established
Contents:
- Value: "|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"
Within:
PCRE:
Special Options: