SID: 2051909

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, tls_state plaintext, created_at 2024_04_03, deployment Perimeter, confidence High, signature_severity Critical, updated_at 2024_04_03

Reference:

  • md5

  • 03f80949b6a0d5148c4e0d0557175131

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

  • Value: "200"

  • Value: "Content-Type|3a 20|application/json|3b 20|charset=utf-8|0d 0a|"

  • Value: "Server|3a 20|nginx|0d 0a|"

  • Value: "|7b 22|status|22 3a 20 22|Success|22 2c 20 22|k|22 3a 20 22|" Depth: 28

  • Value: "|22 2c 20 22|c|22 3a 20|"

Within:

PCRE:

Special Options:

  • http_stat_code

  • http_header

  • http_header

  • file_data

  • fast_pattern

source