""ET CURRENT_EVENTS KaiXin Secondary Landing Page""

SID: 2021293

Revision: 3

Class Type: trojan-activity

Metadata: created_at 2015_06_18, updated_at 2022_05_03

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "/win.html"

• Value: !"Host|3a 20|www.carrona.org"

Within:

PCRE: "/Host\x3a\x20(?P[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/Hsi"

Special Options:

• http_uri

source