""ET POLICY CoinHive In-Browser Miner Detected""
SID: 2024721
Revision: 3
Class Type: policy-violation
Metadata: affected_product Any, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, performance_impact Moderate, signature_severity Minor, updated_at 2018_05_08
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,from_server
Contents:
-
Value: "coinhive.min.js"
-
Value: "start"
-
Value: "script"
-
Value: "var"
Within:
PCRE: "/^\s(?P[a-zA-Z0-9]{3,20})\s=\snew\sCoinHive\s.\s[^(]+(\s[\x22\x27][A-Za-z0-9]+\s[\x22\x27]\s(?:\x2c\s\x7b\s\w+\x3a\s\d.\d\x7d)?)\s\x3b\s+(?P=var)\s.\s*start/Ri"
Special Options:
-
file_data
-
nocase
-
fast_pattern
-
nocase