""ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016""
SID: 2022896
Revision: 5
Class Type: trojan-activity
Metadata: created_at 2016_06_14, performance_impact Moderate, updated_at 2024_04_22, reviewed_at 2024_04_11
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: ".exe"
-
Value: !"Referer|3a|"
-
Value: !"|0d 0a|Cookie|3a|"
Within:
PCRE: "/^Host\x3a\x20[^\r\n]+.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"
Special Options:
-
nocase
-
http_uri
-
http_header