[Emerging-Sigs] SIG: ET WEB_SERVER base64_decode In HTTP POST - Potential Malicious Obfuscation Attempt

Darien Huss dhuss at emergingthreats.net
Tue Sep 16 09:50:40 EDT 2014


Scratch that, we do need one for the http_client_body, so we'll get that
out today!

Regards,
Darien

On Tue, Sep 16, 2014 at 9:28 AM, Travis Green <tgreen at emergingthreats.net>
wrote:

> Kevin, looks like this is covered by sid:2017399
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET
> WEB_SERVER WebShell Generic eval of base64_decode";
> flow:established,from_server; file_data; content:"base64_decode"; nocase;
> fast_pattern:only; content:"eval"; nocase;
> pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi";
> classtype:trojan-activity; sid:2017399; rev:6;)
>
> On Tue, Sep 16, 2014 at 7:10 AM, Travis Green <tgreen at emergingthreats.net>
> wrote:
>
>> Thanks Kevin, we'll get it into QA.
>>
>> On Tue, Sep 16, 2014 at 2:27 AM, Kevin Ross <kevross33 at googlemail.com>
>> wrote:
>>
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
>>> WEB_SERVER base64_decode In HTTP POST - Potential Malicious Obfuscation
>>> Attempt"; flow:established,to_server; content:"POST"; http_method;
>>> content:"base64_decode("; http_client_body;
>>> classtype:web-application-attack; sid:123991; rev:1;)
>>>
>>> Kind Regards,
>>> Kevin Ross
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>>
>>
>>
>> --
>> Public key: http://travisgreen.net/tgreen@emergingthreats.net.asc
>>
>
>
>
> --
> Public key: http://travisgreen.net/tgreen@emergingthreats.net.asc
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140916/8e9467d9/attachment.html>


More information about the Emerging-sigs mailing list