""ET INFO Suspected Malicious Telegram Communication (POST)""
SID: 2029634
Revision: 2
Class Type: misc-activity
Metadata: attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2020_03_12
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "|0d 0a|Accept-Language|3a 20|en-US,*|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|Host|3a 20|"
-
Value: "Content-Length|3a 20|40|0d 0a|"
-
Value: "POST /api HTTP/1.1"
-
Value: "Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"
Within:
PCRE: "/^Content-Type\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/Hmi"
Special Options:
-
http_header
-
http_header
-
http_header