SID: 2022343

Revision: 1

Class Type: trojan-activity

Metadata: created_at 2016_01_08, updated_at 2016_01_08

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "GET"

  • Value: ".php?id="

  • Value: "&token1="

  • Value: "&token2="

  • Value: "&C="

  • Value: !"Referer|3a|"

Within:

PCRE: "/\/[A-Za-z]+.php\?((?:id|token1|token2|C)=[A-Za-z0-9\/=+%]*={0,2}&?){4}$/U"

Special Options:

  • http_method

  • http_uri

  • fast_pattern

  • http_uri

  • http_uri

  • http_uri

  • http_header

source