Et rule 2051542 - Magic-SigExplorer

""ET TROJAN FakeEXT Data Exfiltration Attempt""

SID: 2051542

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_03_07, deployment Perimeter, deployment SSLDecrypt, malware_family FakeEx, performance_impact Low, confidence High, signature_severity Major, tag FakeEXT, updated_at 2024_03_07

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET"
Value: "/grab/put?name|3d|" Depth: 15
Value: "value|3d|"
Value: "css_id|3d|"
Value: "uid|3d|"
Value: "url|3d|"

Within:

PCRE: "/uid\x3d[a-f0-9]{8}([a-f0-9]{4}-){2}[a-f0-9]{3}-[a-f0-9]{12}/U"

Special Options:

http_method
http_uri
fast_pattern
http_uri
http_uri
http_uri
http_uri

source