<div dir="ltr">Kevin, looks like this is covered by sid:2017399<br><br>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:6;)<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 16, 2014 at 7:10 AM, Travis Green <span dir="ltr"><<a href="mailto:tgreen@emergingthreats.net" target="_blank">tgreen@emergingthreats.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Kevin, we'll get it into QA. <br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Tue, Sep 16, 2014 at 2:27 AM, Kevin Ross <span dir="ltr"><<a href="mailto:kevross33@googlemail.com" target="_blank">kevross33@googlemail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER base64_decode In HTTP POST - Potential Malicious Obfuscation Attempt"; flow:established,to_server; content:"POST"; http_method; content:"base64_decode("; http_client_body; classtype:web-application-attack; sid:123991; rev:1;)<br><br>Kind Regards,<br>Kevin Ross<br><br></div></div>
<br></div></div>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br><div dir="ltr"><font size="1">Public key: <a href="http://travisgreen.net/tgreen@emergingthreats.net.asc" target="_blank">http://travisgreen.net/tgreen@emergingthreats.net.asc</a></font><br></div>
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr"><font size="1">Public key: <a href="http://travisgreen.net/tgreen@emergingthreats.net.asc" target="_blank">http://travisgreen.net/tgreen@emergingthreats.net.asc</a></font><br></div>
</div>