""ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014""

SID: 2018037

Revision: 3

Class Type: trojan-activity

Metadata: created_at 2014_01_30, updated_at 2014_01_30

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: from_server,established

Contents:

• Value: "%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"

• Value: "%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"

• Value: "%64%6f%52%65%64%69%72%65%63%74"

Within:

PCRE:

Special Options:

• file_data

• nocase

• nocase

• nocase

source