Et rule 2043017 - Magic-SigExplorer

""ET TROJAN Aurora Stealer Admin Console In HTTP Response""

SID: 2043017

Revision: 2

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2022_12_27, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, updated_at 2023_04_04, reviewed_at 2024_01_26

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: to_client,established

Contents:

Value: "content|3d 22|AURORA|20|STEALER|22 3e|"
Value: "|3c|title|3e|Auth|3c 2f|title|3e|"

Within:

PCRE:

Special Options:

file_data

source