""ET TROJAN FAKE AV HTTP CnC Post""

SID: 2009455

Revision: 8

Class Type: trojan-activity

Metadata: created_at 2010_07_30, updated_at 2022_05_03

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "POST"

• Value: "action="

• Value: "uid="

• Value: "cnt="

• Value: "lng="

• Value: "type="

• Value: "user_id="

• Value: "pc_id="

• Value: "abbr="

• Value: "User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)"

Within:

PCRE:

Special Options:

• nocase

• http_method

• nocase

• http_client_body

• nocase

• http_client_body

• nocase

• http_client_body

• nocase

• http_client_body

• nocase

• http_client_body

• nocase

• http_client_body

• nocase

• http_client_body

• nocase

• http_client_body

• http_header

source