""ET TROJAN Possible SSH Linux.Fokirtor backchannel command""

SID: 2017727

Revision: 6

Class Type: trojan-activity

Metadata: created_at 2013_11_16, updated_at 2013_11_20

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: any

Destination Port: 22

Flow: established,to_server

Contents:

• Value: "|3a 21 3b 2e|"

Within:

PCRE: "/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})/R"

Special Options:

source