""ET TROJAN FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers""
SID: 2012627
Revision: 1
Class Type: trojan-activity
Metadata: created_at 2011_04_04, updated_at 2011_04_04
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "HTTP/1.1|0d 0a|Accept|3a 20|/|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Host|3a 20|"
-
Value: "|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"
-
Value: ")|0d 0a|Content-Length"
-
Value: "|0d 0a 0d 0a|data="
Within:
PCRE:
Special Options:
- fast_pattern