""ET TROJAN NanoLocker Check-in (ICMP) M1""

SID: 2022331

Revision: 3

Class Type: trojan-activity

Metadata: created_at 2016_01_05, updated_at 2016_01_06

Reference:

• Link

Protocol: icmp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow:

Contents:

• Value: "|31|" Depth: 1

Within:

PCRE: "/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"

Special Options:

source