""ET CURRENT_EVENTS SUSPICIOUS XXTEA UTF-16 Encoded HTTP Response""

SID: 2018175

Revision: 2

Class Type: bad-unknown

Metadata: created_at 2014_02_25, updated_at 2014_02_26

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: any

Flow: from_server,established

Contents:

• Value: "u|00|t|00|f|00|8|00|t|00|o|00|1|00|6|00|"

• Value: "x|00|x|00|t|00|e|00|a|00|_|00|d|00|e|00|c|00|r|00|y|00|p|00|t|00|"

• Value: "b|00|a|00|s|00|e|00|6|00|4|00|d|00|e|00|c|00|o|00|d|00|e"

Within:

PCRE:

Special Options:

• nocase

• nocase

• fast_pattern

• nocase

source