""ET TROJAN Storm/Waledac 3.0 Checkin 2""
SID: 2012139
Revision: 6
Class Type: trojan-activity
Metadata: created_at 2011_01_05, updated_at 2012_03_17
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: 1024:
Destination Network: $EXTERNAL_NET
Destination Port: 1024:
Flow: established,to_server
Contents:
-
Value: "GET " Depth: 4
-
Value: "Host|3a| "
-
Value: "Content-Length|3a| "
-
Value: ".htm HTTP/1.1"
-
Value: "|01 02 01 01|"
Within:
PCRE: "/Content-Length\x3a [1-9]/"
Special Options:
-
nocase
-
fast_pattern