Et rule 2027708 - Magic-SigExplorer

""ET TROJAN Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Command Response""

SID: 2027708

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, signature_severity Major, updated_at 2019_07_15

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: from_server,established

Contents:

Value: "200"
Value: "" Depth: 7
Value: ""
Value: ""

Within:

PCRE: "/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>/"

Special Options:

http_stat_code
file_data
fast_pattern

source