""ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound""

SID: 2022554

Revision: 1

Class Type: misc-attack

Metadata: created_at 2016_02_22, updated_at 2016_02_22

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

• Value: "%"

• Value: "temp%"

• Value: "temp%"

Within: 7

PCRE: "/\%(?:25)?temp\%/Ii"

Special Options:

• http_raw_uri

• nocase

• http_raw_uri

source