""ET EXPLOIT Pwdump6 Session Established test file created on victim""

SID: 2008445

Revision: 4

Class Type: suspicious-filename-detect

Metadata: created_at 2010_07_30, updated_at 2012_04_30

Reference:

• Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: [139,445]

Flow: to_server,established

Contents:

• Value: "|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"

Within:

PCRE:

Special Options:

source