[Emerging-Sigs] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected uncrypted

Giles Coochey giles at coochey.net
Mon Dec 17 04:11:31 HAST 2012

If this was truly an "Outgoing" issue:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing 
Basic Auth Base64 HTTP Password detected unencrypted"; 
flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; 
nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; 
http_header; threshold: type both, count 1, seconds 300, track by_src; 
classtype:policy-violation; sid:2006380; rev:12;)

wouldn't it read:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS...

Just wondering, as I get an FP for this coming in after SSL offloading 
from the proxy. I know I can modify the rule via PP, but it isn't really 
alerting on what it says it is doing.


Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
giles at coochey.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4968 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/a947483e/attachment.bin>

More information about the Emerging-sigs mailing list