""ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain""
SID: 2016582
Revision: 3
Class Type: bad-unknown
Metadata: created_at 2013_03_15, updated_at 2014_07_23
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: to_server,established
Contents:
- Value: "Java/1."
Within:
PCRE: "/^Host\x3a\x20[^\r\n]+.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curity(?:exploit|tactic)s.com)|tufftoread.com|ytes.net)|m(?:y(?:(?:(?:dissen|effec)t|mediapc|psx).net|securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|n(?:o(?:-ip.(?:c(?:o.uk|a)|info|biz|net|org)|ip.(?:me|us))|et-freaks.com|flfan.org|hlfan.net)|h(?:o(?:mesecurity(?:ma|p)c.com|pto.(?:org|me))|ealth-carereform.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|g(?:o(?:lffan.us|tdns.ch)|eekgalaxy.com)|b(?:logsyte.com|ounceme.net|rasilia.me)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|w(?:orkisboring.com|ebhop.me)|(?:3utiliti|quicksyt)es.com|eating-organic.net|ilovecollege.info|fantasyleague.cc|loginto.me|zapto.org)(\x3a\d{1,5})?\r$/Hmi"
Special Options:
- http_header