""ET INFO Possible EXE Download From Suspicious TLD (.yokohama) - set""

SID: 2025498

Revision: 1

Class Type: misc-activity

Metadata: created_at 2018_04_16, updated_at 2018_04_16

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: ".yokohama|0d 0a|"

Within:

PCRE: "/^Host\x3a[^\r\n]+.yokohama(?:\x3a\d{1,5})?\r?$/Hmi"

Special Options:

• http_header

source