""ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)""

SID: 2017195

Revision: 2

Class Type: trojan-activity

Metadata: created_at 2013_07_25, updated_at 2013_07_26

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

• Value: "0c0896"

• Value: "="

Within:

PCRE: "/^[^\x22\x27\x3b]*?\x22\x27(?P[^0-9a-f])(?P[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"

Special Options:

• file_data

• fast_pattern

source