""ET TROJAN ELF/Emptiness v2 XOR HTTP Flood Command Inbound""

SID: 2027845

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Linux, created_at 2019_08_09, malware_family Emptiness, tag DDoS, updated_at 2019_08_09

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

• Value: "|fe d6 69 33 f7 4f fb c5|" Depth: 8

Within:

PCRE: "/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"

Special Options:

• fast_pattern

source