""ET TROJAN Bifrose/Cycbot Checkin""
SID: 2013795
Revision: 9
Class Type: trojan-activity
Metadata: created_at 2011_10_24, updated_at 2014_01_15
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "GET"
-
Value: "?sv="
-
Value: "&tq="
-
Value: "User-Agent|3a| chrome/9.0"
Within:
PCRE: "/(?:1|2).(?:p(?:hp|ng)|jpe?g|cgi|gif)\?sv=\d{2,3}&tq=/Ui"
Special Options:
-
http_method
-
fast_pattern
-
http_uri
-
http_uri
-
http_header