Et rule 2046635 - Magic-SigExplorer

SID: 2046635

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2023_06_23, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_06_23

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET"
Value: "/post/" Depth: 6
Value: "_"
Value: "User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1)|0d 0a|"
Value: ".lofter.com|0d 0a|"

Within: 1

PCRE: "/^Host\x3a\x20[^\r\n]+.lofter.com/Hmi"

Special Options:

http_method
http_uri
http_uri
http_header
http_header
fast_pattern

source

""ET TROJAN Suspected Blackmoon Related Activity (GET)""