Et rule 2017194 - Magic-SigExplorer

""ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound)""

SID: 2017194

Revision: 2

Class Type: trojan-activity

Metadata: created_at 2013_07_25, updated_at 2013_07_26

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "0c0896"
Value: "="

Within:

PCRE: "/^[^\x22\x27\x3b]*?\x22\x27(?P[^0-9a-f])(?P[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"

Special Options:

file_data
fast_pattern

source