""ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)""
SID: 2022894
Revision: 5
Class Type: trojan-activity
Metadata: created_at 2016_06_14, performance_impact Moderate, updated_at 2024_05_04
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "x-flash-version|3a|"
-
Value: !"/crossdomain.xml"
-
Value: !".swf"
-
Value: !".flv"
-
Value: !"[DYNAMIC]"
-
Value: !".swf"
-
Value: !".flv"
-
Value: !"/crossdomain.xml"
-
Value: !"|0d 0a|Cookie|3a|"
-
Value: !"sync-eu.exe.bid"
Within:
PCRE: "/^Host\x3a\x20[^\r\n]+.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"
Special Options:
-
http_header
-
http_header
-
http_header
-
nocase
-
http_header
-
nocase
-
http_header
-
nocase
-
http_uri
-
nocase
-
http_uri
-
http_uri
-
http_header