#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape %u Shellcode Detected"; flowbits:isset,ET_UNESCAPE; flow:established,to_client; content:"unescape("; nocase; content:"%u"; nocase; within:8; content:"%u"; nocase; within:8; content:"%u"; distance:30; pcre:"/unescape\x28.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}.{30}.+\x25u[0-9,a-f]{2,4}/i"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2011386; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011386; rev:2;)

Added 2010-09-14 12:37:09 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape %u Shellcode Detected"; flowbits:isset,ET_UNESCAPE; flow:established,to_client; content:"unescape("; nocase; content:"%u"; nocase; within:8; content:"%u"; nocase; within:8; content:"%u"; distance:30; pcre:"/unescape\x28.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}.{30}.+\x25u[0-9,a-f]{2,4}/i"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2011386; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011386; rev:2;)

Added 2010-09-14 12:37:09 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape %u Shellcode Detected"; flowbits:isset,ET_UNESCAPE; flow:established,to_client; content:"unescape("; nocase; content:"%u"; nocase; within:8; content:"%u"; nocase; within:8; content:"%u"; distance:30; pcre:"/unescape\x28.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}.{30}.+\x25u[0-9,a-f]{2,4}/i"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2011386; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011386; rev:2;)

Added 2010-08-20 14:16:25 UTC


Topic revision: r1 - 2010-09-14 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats