[Emerging-Sigs] SIG: ET WEB_SERVER base64_decode In HTTP POST - Potential Malicious Obfuscation Attempt

Travis Green tgreen at emergingthreats.net
Tue Sep 16 09:28:21 EDT 2014


Kevin, looks like this is covered by sid:2017399

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET
WEB_SERVER WebShell Generic eval of base64_decode";
flow:established,from_server; file_data; content:"base64_decode"; nocase;
fast_pattern:only; content:"eval"; nocase;
pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi";
classtype:trojan-activity; sid:2017399; rev:6;)

On Tue, Sep 16, 2014 at 7:10 AM, Travis Green <tgreen at emergingthreats.net>
wrote:

> Thanks Kevin, we'll get it into QA.
>
> On Tue, Sep 16, 2014 at 2:27 AM, Kevin Ross <kevross33 at googlemail.com>
> wrote:
>
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
>> WEB_SERVER base64_decode In HTTP POST - Potential Malicious Obfuscation
>> Attempt"; flow:established,to_server; content:"POST"; http_method;
>> content:"base64_decode("; http_client_body;
>> classtype:web-application-attack; sid:123991; rev:1;)
>>
>> Kind Regards,
>> Kevin Ross
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
>
> --
> Public key: http://travisgreen.net/tgreen@emergingthreats.net.asc
>



-- 
Public key: http://travisgreen.net/tgreen@emergingthreats.net.asc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140916/c2c63736/attachment-0001.html>


More information about the Emerging-sigs mailing list