""ET INFO Possible Sharepoint Resource Infection""

SID: 2033698

Revision: 1

Class Type: bad-unknown

Metadata: attack_target Client_and_Server, created_at 2021_08_10, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Informational, updated_at 2021_08_10

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

• Value: "|0d 0a|x-virus-infected|3a 20|"

• Value: "-location|3a 20|"

• Value: "HTTP/1.1|20|409|20|CONFLICT"

Within:

PCRE:

Special Options:

• http_header

• http_header

source