Et rule 2017193 - Magic-SigExplorer

""ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Outbound)""

SID: 2017193

Revision: 2

Class Type: trojan-activity

Metadata: created_at 2013_07_25, updated_at 2013_07_26

Reference:

Protocol: tcp

Source Network: $HTTP_SERVERS

Source Port: $HTTP_PORTS

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "0c0896"
Value: "="

Within:

PCRE: "/^[^\x22\x27\x3b]*?\x22\x27(?P[^0-9a-f])(?P[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"

Special Options:

file_data
fast_pattern

source