""ET TROJAN Possible Backdoor.Linux.Tsunami Outbound HTTP request""

SID: 2016949

Revision: 1

Class Type: trojan-activity

Metadata: created_at 2013_05_31, updated_at 2013_05_31

Reference:

• Link

Protocol: tcp

Source Network: $HTTP_SERVERS

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "User-Agent|3a 20|Mozilla/4.75 [en] (X11|3b| U|3b| Linux 2.2.16-3 i686)|0d 0a|"

• Value: "|3a|80|0d 0a|"

Within:

PCRE:

Special Options:

• http_header

• http_header

source