""ET TROJAN Likely Bot Nick in IRC ([country|so version|CPU])""
SID: 2017395
Revision: 3
Class Type: trojan-activity
Metadata: created_at 2013_08_28, updated_at 2013_08_29
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: any
Flow: established,to_server
Contents:
-
Value: "NICK {"
-
Value: "x86"
-
Value: "}"
Within: 12
PCRE: "/NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z]/i"
Special Options: