""ET TROJAN Mac Trojan HTTP Checkin (accept-language violation)""

SID: 2007650

Revision: 4

Class Type: trojan-activity

Metadata: created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_10

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "GET " Depth: 4

  • Value: " HTTP/1.1|0d 0a|Accept-Language|3a| "

Within:

PCRE: "/Accept-Language\: [a-zA-Z0-9]{20}/"

Special Options:

source