""ET TROJAN LinuxNet.perlbot Checkin Via IRC""
SID: 2019921
Revision: 1
Class Type: trojan-activity
Metadata: created_at 2014_12_11, updated_at 2014_12_11
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: to_server,established
Contents:
-
Value: "NICK|20 7c|GNU|7c 0a|" Depth: 12
-
Value: "USER|20|GNU|20|"
-
Value: "|0a|JOIN|20|"
Within: 9
PCRE: "/(?:\d{1,3}.){3}\d{1,3} (?:\d{1,3}.){3}\d{1,3} \x3a(?:Linux|FreeBSD|SunOS)/R"
Special Options:
- fast_pattern