""ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype""

SID: 2011528

Revision: 6

Class Type: bad-unknown

Metadata: affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2012_04_16

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

• Value: "PDF-"

• Value: "/"

• Value: !"Subtype"

• Value: "#"

Within: 19

PCRE: "/\x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65)/"

Special Options:

• file_data

source