""ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET""

SID: 2010241

Revision: 6

Class Type: trojan-activity

Metadata: created_at 2010_07_30, updated_at 2013_09_20

Reference:

  • md5

  • d9bcb4e4d650a6ed4402fab8f9ef1387

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "GET"

  • Value: "/Reports/install-report.php"

  • Value: "abbr="

  • Value: "TALWinInetHTTPClient"

Within:

PCRE:

Special Options:

  • http_method

  • http_uri

  • http_uri

  • http_header

source