""ET CURRENT_EVENTS LandUpdate808 Inject Inbound""
SID: 2054228
Revision: 1
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_07_02, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Minor, tag Exploit_Kit, updated_at 2024_07_02
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "var|20|client|20 3d 20|new|20|HttpClient|28 29 3b|"
-
Value: "client|2e|get|28 27|https|3a 2f 2f|www|2e|cloudflare|2e|com|2f|cdn|2d|cgi|2f|trace|27 2c 20|function|28|data|29 20 7b|"
-
Value: "|20 3d 20|window|2e|navigator|2e|userAgent|2e|toLowerCase|28 29 2c|"
-
Value: "var|20|domainName|3d 22|https|3a 2f 2f|"
-
Value: "|3d 20|new|20|XMLHttpRequest|28 29 3b|"
-
Value: "|2e|onreadystatechange|20 3d 20|function|28 29 20 7b|"
-
Value: "|2e|readyState|20 3d 3d 20|XMLHttpRequest|2e|DONE|29 20 7b|"
Within:
PCRE:
Special Options:
- file_data