""ET WEB_CLIENT PDF Name Representation Obfuscation of Action""
SID: 2011529
Revision: 4
Class Type: bad-unknown
Metadata: affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2012_04_16
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "PDF-"
-
Value: "/"
-
Value: !"Action"
-
Value: "#"
Within: 16
PCRE: "/\x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/"
Special Options:
- file_data