""ET CURRENT_EVENTS GrandSoft PDF Payload Download""

SID: 2016764

Revision: 15

Class Type: trojan-activity

Metadata: created_at 2013_04_17, updated_at 2018_03_06

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "User-Agent|3a 20|http|3a|//"

Within:

PCRE: "/^GET (?P(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"

Special Options:

• http_header

source