Et rule 2047705 - Magic-SigExplorer

""ET CURRENT_EVENTS Ferest Smuggler Request M1""

SID: 2047705

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2023_08_23, deployment Perimeter, deployment SSLDecrypt, malware_family Ferest_Smuggler, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2023_08_23, reviewed_at 2023_08_23

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "/?"
Value: "="
Value: "&"
Value: "&username="
Value: "&"

Within: 10

PCRE: "/\/\?(?P[a-zA-Z0-9]{32})=(?P=variable){2}\&(?P=variable){2}&username=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}={2})\&(?P=variable)$/U"

Special Options:

http_uri
http_uri
http_uri
http_uri
fast_pattern
http_uri

source