""ET INFO Terse Named Filename EXE Download - Possibly Hostile""
SID: 2020202
Revision: 3
Class Type: suspicious-filename-detect
Metadata: attack_target Client_and_Server, created_at 2015_01_16, deployment Perimeter, deployment SSLDecrypt, deployment alert_only, performance_impact Moderate, confidence Low, signature_severity Informational, updated_at 2023_05_24
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "filename="
-
Value: ".exe"
Within: 8
PCRE: "/filename\x3d[\x27\x22][a-z0-9]{1,3}\x2Eexe/Hi"
Special Options:
-
http_header
-
http_header
-
fast_pattern