geedge-jira/attachment/37010/weixin-signature.txt

signature1
    condition1  server_name weixin.qq.com           suffix
	            server_name badjs.weixinbridge.com  exactly
				server_name wx.qq.com               substring
				server_name wx2.qq.com              substring
				server_name .we.qq.com              suffix
				server_name wup.browser.qq.com      suffix
				server_name .wexin.qq.com           suffix
				server_name mmbiz.qpic.cn           suffix
				server_name wx.qlogo.cn             substring
				tcp.payload.c2s_first_data  000000100010000100000006ffffffff  0 16 Rawbytes
				tcp.payload.s2c_first_data  000000100010000100000006ffffffff  0 16 Rawbytes
				ip.payload                  000000100010000100000006ffffffff  0 16 Rawbytes
				
				
signature2
	condition1  http.host  badjs.weixinbridge.com  exactly
	            http.host  wx.qq.com               substring
				http.host  wx2.qq.com              substring
				http.host  .we.qq.com              suffix
				http.host  wup.browser.qq.com      suffix
				http.uri   /micromsg-bin/		   substring
				http.host  .wexin.qq.com           suffix
                http.host  mmbiz.qpic.cn           suffix
                http.host  weixin.qq.com           substring
                http.host  wx.qlogo.cn             substring
                http.host  szextshort.weixin.qq.com substring
				
	condition2  http.user_agent  MicroMessenger     substring
				http.user_agent  WeChat             substring
				http.user_agent  557365722d4167656e743a204d6963726f4d657373656e67657220436c69656e740d0a  substring  Rawbytes
				tcp.payload.c2s_first_data  504f5354202f6d6d746c732f  0 12  Rawbytes
				ip.payload       			504f5354202f6d6d746c732f  0	12	Rawbytes
				
signature3
	condition1  dns.qry.name	weixin.qq.com       suffix
				dns.qry.name	badjs.weixinbridge.com  exactly
				dns.qry.name	wx.qq.com           substring
				dns.qry.name	wx2.qq.com			substring
				dns.qry.name	.we.qq.com			suffix
				dns.qry.name	wx.qlogo.cn			suffix
				dns.qry.name	wup.browser.qq.com	suffix
				dns.qry.name	.wexin.qq.com		suffix
				dns.qry.name	mmbiz.qpic.cn		suffix
				
signature4
	condition1	quic.sni		weixin.qq.com		suffix
				quic.sni		badjs.weixinbridge.com exactly
				quic.sni		wx.qq.com			substring
				quic.sni		wx2.qq.com			substring
				quic.sni		.we.qq.com			suffix
				quic.sni		wx.qlogo.cn			suffix
				quic.sni		wup.browser.qq.com	suffix
				quic.sni		.wexin.qq.com       suffix
				quic.sni		mmbiz.qpic.cn		suffix
				
signature5
	condition1	udp.payload.c2s_first_data		000000100010000100000006ffffffff  substring Rawbytes
				udp.payload.s2c_first_data		000000100010000100000006ffffffff  substring Rawbytes
				
signature6
	condition1	tcp.payload.c2s_first_data		ab00  				substring	Rawbytes
				tcp.payload.s2c_first_data		ab00  				substring   Rawbytes
				ip.payload						ab00  				substring   Rawbytes
				tcp.payload.c2s_first_data		77656978696e6e756d  substring   Rawbytes
				tcp.payload.s2c_first_data		77656978696e6e756d	substring   Rawbytes
				ip.payload						77656978696e6e756d  substring   Rawbytes
				udp.payload.c2s_first_data		ab00  				substring   Rawbytes
				udp.payload.s2c_first_data		ab00  				substring   Rawbytes
				udp.payload.c2s_first_data		77656978696e6e756d  substring   Rawbytes
				udp.payload.s2c_first_data		77656978696e6e756d  substring   Rawbytes
				
signature7
	condition1	tcp.payload.c2s_first_data		17f103				substring	Rawbytes
				tcp.payload.s2c_first_data		17f103				substring   Rawbytes
				ip.payload						17f103				substring   Rawbytes
				udp.payload.c2s_first_data		17f103				substring   Rawbytes
				udp.payload.s2c_first_data		17f103				substring   Rawbytes
				tcp.payload.c2s_first_data		16f103				substring   Rawbytes
				tcp.payload.s2c_first_data		16f103				substring   Rawbytes
				ip.payload						16f103				substring   Rawbytes
				udp.payload.c2s_first_data		16f103				substring   Rawbytes
				udp.payload.s2c_first_data		16f103				substring   Rawbytes
	condition2	tcp.dstport						8080-8080
				tcp.dstport						443-443
				tcp.dstport						80-80
				udp.dstport						8080-8080
				udp.dstport						80-80
				udp.dstport						443-443
				
signature8
	condition1	tcp.payload.c2s_first_data		0a210a0608021003180010	substring	Rawbytes
				tcp.payload.s2c_first_data		0a210a0608021003180010	substring   Rawbytes
				ip.payload						0a210a0608021003180010	substring   Rawbytes
				udp.payload.c2s_first_data		0a210a0608021003180010	substring   Rawbytes
				udp.payload.s2c_first_data		0a210a0608021003180010	substring   Rawbytes
	condition2	tcp.payload.c2s_first_data		0a480050001038			substring   Rawbytes
				tcp.payload.s2c_first_data		0a480050001038			substring   Rawbytes
				ip.payload						0a480050001038			substring   Rawbytes
				udp.payload.s2c_first_data		0a480050001038			substring   Rawbytes
				udp.payload.c2s_first_data		0a480050001038			substring   Rawbytes
				
signature9
	condition1	http.host						emoji.qpic.cn					substring
				tcp.payload.c2s_first_data		474554202f77785f656d6f6a692f	substring	Rawbytes
				tcp.payload.c2s_first_data		504f5354202f6d6d746c732f		substring	Rawbytes
				http.host						.weixin.qq.com					substring
	condition2	http.user_agent					MicroMessenger Client			substring
	condition3	tcp.payload.c2s_first_data		557365722d4167656e743a204d6963726f4d657373656e67657220436c69656e740d0a	substring	Rawbytes
	
signature10
	condition1	tcp.payload.s2c_first_data		17f104	0	3	Rawbytes
				tcp.payload.c2s_first_data		17f104	0	3   Rawbytes
				ip.payload						17f104	0	3   Rawbytes
				tcp.payload.c2s_first_data		16f104	0	3   Rawbytes
				tcp.payload.s2c_first_data		16f104	0	3   Rawbytes
				ip.payload						16f104	0	3   Rawbytes
add attachments 2025-09-14 22:00:20 +00:00			`signature1`
			`condition1 server_name weixin.qq.com suffix`
			`server_name badjs.weixinbridge.com exactly`
			`server_name wx.qq.com substring`
			`server_name wx2.qq.com substring`
			`server_name .we.qq.com suffix`
			`server_name wup.browser.qq.com suffix`
			`server_name .wexin.qq.com suffix`
			`server_name mmbiz.qpic.cn suffix`
			`server_name wx.qlogo.cn substring`
			`tcp.payload.c2s_first_data 000000100010000100000006ffffffff 0 16 Rawbytes`
			`tcp.payload.s2c_first_data 000000100010000100000006ffffffff 0 16 Rawbytes`
			`ip.payload 000000100010000100000006ffffffff 0 16 Rawbytes`


			`signature2`
			`condition1 http.host badjs.weixinbridge.com exactly`
			`http.host wx.qq.com substring`
			`http.host wx2.qq.com substring`
			`http.host .we.qq.com suffix`
			`http.host wup.browser.qq.com suffix`
			`http.uri /micromsg-bin/ substring`
			`http.host .wexin.qq.com suffix`
			`http.host mmbiz.qpic.cn suffix`
			`http.host weixin.qq.com substring`
			`http.host wx.qlogo.cn substring`
			`http.host szextshort.weixin.qq.com substring`

			`condition2 http.user_agent MicroMessenger substring`
			`http.user_agent WeChat substring`
			`http.user_agent 557365722d4167656e743a204d6963726f4d657373656e67657220436c69656e740d0a substring Rawbytes`
			`tcp.payload.c2s_first_data 504f5354202f6d6d746c732f 0 12 Rawbytes`
			`ip.payload 504f5354202f6d6d746c732f 0 12 Rawbytes`

			`signature3`
			`condition1 dns.qry.name weixin.qq.com suffix`
			`dns.qry.name badjs.weixinbridge.com exactly`
			`dns.qry.name wx.qq.com substring`
			`dns.qry.name wx2.qq.com substring`
			`dns.qry.name .we.qq.com suffix`
			`dns.qry.name wx.qlogo.cn suffix`
			`dns.qry.name wup.browser.qq.com suffix`
			`dns.qry.name .wexin.qq.com suffix`
			`dns.qry.name mmbiz.qpic.cn suffix`

			`signature4`
			`condition1 quic.sni weixin.qq.com suffix`
			`quic.sni badjs.weixinbridge.com exactly`
			`quic.sni wx.qq.com substring`
			`quic.sni wx2.qq.com substring`
			`quic.sni .we.qq.com suffix`
			`quic.sni wx.qlogo.cn suffix`
			`quic.sni wup.browser.qq.com suffix`
			`quic.sni .wexin.qq.com suffix`
			`quic.sni mmbiz.qpic.cn suffix`

			`signature5`
			`condition1 udp.payload.c2s_first_data 000000100010000100000006ffffffff substring Rawbytes`
			`udp.payload.s2c_first_data 000000100010000100000006ffffffff substring Rawbytes`

			`signature6`
			`condition1 tcp.payload.c2s_first_data ab00 substring Rawbytes`
			`tcp.payload.s2c_first_data ab00 substring Rawbytes`
			`ip.payload ab00 substring Rawbytes`
			`tcp.payload.c2s_first_data 77656978696e6e756d substring Rawbytes`
			`tcp.payload.s2c_first_data 77656978696e6e756d substring Rawbytes`
			`ip.payload 77656978696e6e756d substring Rawbytes`
			`udp.payload.c2s_first_data ab00 substring Rawbytes`
			`udp.payload.s2c_first_data ab00 substring Rawbytes`
			`udp.payload.c2s_first_data 77656978696e6e756d substring Rawbytes`
			`udp.payload.s2c_first_data 77656978696e6e756d substring Rawbytes`

			`signature7`
			`condition1 tcp.payload.c2s_first_data 17f103 substring Rawbytes`
			`tcp.payload.s2c_first_data 17f103 substring Rawbytes`
			`ip.payload 17f103 substring Rawbytes`
			`udp.payload.c2s_first_data 17f103 substring Rawbytes`
			`udp.payload.s2c_first_data 17f103 substring Rawbytes`
			`tcp.payload.c2s_first_data 16f103 substring Rawbytes`
			`tcp.payload.s2c_first_data 16f103 substring Rawbytes`
			`ip.payload 16f103 substring Rawbytes`
			`udp.payload.c2s_first_data 16f103 substring Rawbytes`
			`udp.payload.s2c_first_data 16f103 substring Rawbytes`
			`condition2 tcp.dstport 8080-8080`
			`tcp.dstport 443-443`
			`tcp.dstport 80-80`
			`udp.dstport 8080-8080`
			`udp.dstport 80-80`
			`udp.dstport 443-443`

			`signature8`
			`condition1 tcp.payload.c2s_first_data 0a210a0608021003180010 substring Rawbytes`
			`tcp.payload.s2c_first_data 0a210a0608021003180010 substring Rawbytes`
			`ip.payload 0a210a0608021003180010 substring Rawbytes`
			`udp.payload.c2s_first_data 0a210a0608021003180010 substring Rawbytes`
			`udp.payload.s2c_first_data 0a210a0608021003180010 substring Rawbytes`
			`condition2 tcp.payload.c2s_first_data 0a480050001038 substring Rawbytes`
			`tcp.payload.s2c_first_data 0a480050001038 substring Rawbytes`
			`ip.payload 0a480050001038 substring Rawbytes`
			`udp.payload.s2c_first_data 0a480050001038 substring Rawbytes`
			`udp.payload.c2s_first_data 0a480050001038 substring Rawbytes`

			`signature9`
			`condition1 http.host emoji.qpic.cn substring`
			`tcp.payload.c2s_first_data 474554202f77785f656d6f6a692f substring Rawbytes`
			`tcp.payload.c2s_first_data 504f5354202f6d6d746c732f substring Rawbytes`
			`http.host .weixin.qq.com substring`
			`condition2 http.user_agent MicroMessenger Client substring`
			`condition3 tcp.payload.c2s_first_data 557365722d4167656e743a204d6963726f4d657373656e67657220436c69656e740d0a substring Rawbytes`

			`signature10`
			`condition1 tcp.payload.s2c_first_data 17f104 0 3 Rawbytes`
			`tcp.payload.c2s_first_data 17f104 0 3 Rawbytes`
			`ip.payload 17f104 0 3 Rawbytes`
			`tcp.payload.c2s_first_data 16f104 0 3 Rawbytes`
			`tcp.payload.s2c_first_data 16f104 0 3 Rawbytes`
			`ip.payload 16f104 0 3 Rawbytes`