""ET TROJAN LokiBot User-Agent (Charon/Inferno)""
SID: 2021641
Revision: 4
Class Type: trojan-activity
Metadata: created_at 2015_08_18, updated_at 2018_04_13, reviewed_at 2024_04_10
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
- Value: "(Charon|3b| Inferno)"
Within:
PCRE: "/^User-Agent\x3a[^\r\n]+\x28Charon\x3b Inferno\x29\r?$/Hmi"
Special Options:
- http_header