""ET CURRENT_EVENTS Generic HeapSpray Construct""

SID: 2018145

Revision: 4

Class Type: bad-unknown

Metadata: created_at 2014_02_15, updated_at 2016_03_07

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

• Value: "CollectGarbage"

• Value: "var"

Within:

PCRE: "/^\s+?(?P[^\s\x3d]+)\s?=\s?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s?([^\x3b)]?\x3b[^\x3b)]+?<=?\s?(?P=vname)[^)]+?)\s?(?:{[^}]?|[^\r\n]?)document\s.\screateElement/Rsi"

Special Options:

• file_data

• nocase

source