""ET CURRENT_EVENTS BHEK Payload Download (java only alternate method may overlap with 2017454)""
SID: 2017554
Revision: 1
Class Type: trojan-activity
Metadata: created_at 2013_10_03, updated_at 2013_10_03
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "Java/1."
-
Value: ".php?"
Within:
PCRE: "/.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}&/U"
Special Options:
-
http_header
-
http_uri