Et rule 2022204 - Magic-SigExplorer

""ET TROJAN Ponmocup HTTP Request (generic) M8""

SID: 2022204

Revision: 2

Class Type: trojan-activity

Metadata: created_at 2015_12_02, performance_impact Significant, updated_at 2024_05_01

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: !"Accept-"
Value: "Accept|3a 20|/|0d 0a|"
Value: !"Referer|3a|"
Value: "Cookie|3a 20|"
Value: !"|0d 0a|"
Value: "Host|3a 20|8"

Within: 300

PCRE: "/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"

Special Options:

http_header
http_header
http_header
http_header

source