Et rule 2047706 - Magic-SigExplorer

""ET CURRENT_EVENTS Ferest Smuggler Request M2""

SID: 2047706

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2023_08_23, deployment Perimeter, deployment SSLDecrypt, malware_family Ferest_Smuggler, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_08_23, reviewed_at 2023_08_23

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "-mail|0d 0a|"
Value: "?"
Value: "&pid="
Value: "&encoding"
Value: "="
Value: "&username="
Value: "&unsubscribe="
Value: "&pathOWA="
Value: "-mail"

Within: 5

PCRE: "/\?(?P[a-f0-9]{32})(?P=variable)\&pid=(?P=variable){2}&encoding(?P=variable)=(?P=variable){2}&username=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}={2})\&unsubscribe=(?P=variable)\&pathOWA=(?P=variable)-mail$/U"

Special Options:

http_uri
http_uri
http_uri
http_uri
http_uri
http_uri
http_uri
http_uri

source