""ET TROJAN PSEmpire Checkin via POST""
SID: 2021616
Revision: 1
Class Type: trojan-activity
Metadata: created_at 2015_08_12, updated_at 2015_08_12
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: to_server,established
Contents:
-
Value: "POST"
-
Value: "/admin/get.php"
-
Value: "User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko|0d 0a|"
-
Value: !"Referer|3a 20|"
-
Value: !"|0d 0a|Accept"
Within:
PCRE: "/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"
Special Options:
-
http_method
-
http_uri
-
http_header
-
http_header
-
http_header