""ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks Initial (POST)""

SID: 2019094

Revision: 4

Class Type: trojan-activity

Metadata: created_at 2014_08_30, updated_at 2018_03_20

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

• Value: "POST"

• Value: ".php"

• Value: "seed="

• Value: "&referrer="

• Value: "&agent="

• Value: "&location="

• Value: "&toplocation="

Within:

PCRE: "/.php$/U"

Special Options:

• http_method

• http_uri

• http_client_body

• http_client_body

• http_client_body

• http_client_body

• http_client_body

source