""ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937)""
SID: 2035620
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Major, updated_at 2022_03_25
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,from_server
Contents:
-
Value: "Cookie|3a 20|85937=eyJ0e"
-
Value: "200"
Within:
PCRE: "/85937=eyJ0e[A-Z0-9_-.]{20,300}\x3b/Ci"
Special Options:
- http_stat_code