""ET CURRENT_EVENTS DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign""
SID: 2017555
Revision: 1
Class Type: trojan-activity
Metadata: created_at 2013_10_03, updated_at 2013_10_03
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
- Value: ".js?cp="
Within:
PCRE: "/\/[A-F0-9]{8}.js\?cp=/U"
Special Options:
- http_uri