""ET CURRENT_EVENTS Fiesta EK Landing Nov 05 2014""
SID: 2019655
Revision: 5
Class Type: trojan-activity
Metadata: created_at 2014_11_06, updated_at 2014_11_24
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: from_server,established
Contents:
-
Value: "=|27|c"
-
Value: "t|27 3b|return"
-
Value: ".indexOf"
Within: 9
PCRE: "/^\s?\x28\s?[a-z0-9]{4,6}\s?\x28\s?[a-z0-9]{1,3}\s?,\s?[a-z0-9]{1,3}\s?\x29\s?\x29\s?\x3b\s?(?P[a-z0-9]{1,3})\s?\x3d\s?\x28\s?(?P=var)\s?\x2b\s?[a-z0-9]{1,3}\s?\x29\s?\x25\s?[a-z0-9]{1,3}.length\x3b/R"
Special Options:
-
file_data
-
fast_pattern