""ET TROJAN Possible Dyre SSL Cert (fake state)""
SID: 2019833
Revision: 6
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2015_01_20, reviewed_at 2024_03_25
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: [443,4443]
Destination Network: $HOME_NET
Destination Port: any
Flow: established,from_server
Contents:
-
Value: "|16|"
-
Value: "|0b|"
-
Value: "|02 09 00|"
-
Value: "|06 03 55 04 06 13 02 41 55|"
-
Value: "|06 03 55 04 08|"
-
Value: !"|0a|Some-State"
Within: 11
PCRE: "/^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"
Special Options: