""ET CURRENT_EVENTS Possible Astrum EK URI Struct""

SID: 2019176

Revision: 2

Class Type: trojan-activity

Metadata: created_at 2014_09_16, updated_at 2015_10_01

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "|2e 20|HTTP/1."

Within:

PCRE: "/^\/(?=[A-Za-z_-]?\d)(?=[a-z0-9_-]?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$/U"

Special Options:

source