""ET CURRENT_EVENTS SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip) download command""

SID: 2017318

Revision: 5

Class Type: bad-unknown

Metadata: created_at 2013_08_13, updated_at 2019_07_01

Reference:

Protocol: tcp

Source Network: any

Source Port: ![445,138,80]

Destination Network: any

Destination Port: any

Flow: established,to_client

Contents:

• Value: "PRIVMSG|20|"

Within:

PCRE: "/^[^\r\n]+.(?:t(?:ar|gz)|exe|zip)/Ri"

Special Options:

source