[Emerging-Sigs] 2025103/ET INFO HTTP POST Request to Suspicious *.cf Domain

Packet Hack pckthck at gmail.com
Thu Dec 7 07:57:22 HST 2017

Sig is falsing pretty bad on .cfm pages in the Referer.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO
HTTP POST Request to Suspicious *.cf Domain";
flow:established,to_server; content:"POST"; http_method;
content:".cf"; fast_pattern; http_header; classtype:bad-unknown;
sid:2025103; rev:2; metadata:created_at 2017_12_03, updated_at

Qualify this for the Host: header?

-- pckthck

More information about the Emerging-sigs mailing list