""ET CURRENT_EVENTS Possible Malvertising Redirect to EK M1""
SID: 2025912
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, signature_severity Major, updated_at 2018_07_26
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "200"
-
Value: "Content-Encoding|3a 20|gzip|0d 0a|"
-
Value: "<script "
-
Value: "new Date()).getTime()|3b|"
-
Value: ".php?JBOSSESSION="
-
Value: "window.location.href="
-
Value: "<script "
-
Value: ""
Within:
PCRE: "/^\stype\s=\s[\x22\x27]\stext\/javascript\s[\x22\x27]\s>\s+var\s(?P
Special Options:
-
http_stat_code
-
http_header
-
file_data
-
nocase
-
fast_pattern
-
\s+(?P
[A-Za-z0-9]{1,25})\s=\s[\x22\x27]\s[^\r\n]+.php\?JBOSSESSION=\s[\x22\x27]\s+(?P [A-Za-z0-9]{1,25})\s=\s(?P=url)\s+\s(?P=timestamp)\s+window.location.href\s=\s(?P=urlvar2)\s+/Rsi"