alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http_header; nocase; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?$/C"; http_accept_enc; content:"gzip"; depth:4; http_header_names; content:"Content-Length|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Connection"; content:!"Cache-Control"; content:!"Accept|0d 0a|"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:5; metadata:created_at 2016_03_28, updated_at 2020_11_03;)

Added 2020-11-03 18:44:38 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http_header; nocase; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?$/C"; http_accept_enc; content:"gzip"; depth:4; http_header_names; content:"Content-Length|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Connection"; content:!"Cache-Control"; content:!"Accept|0d 0a|"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:5; metadata:created_at 2016_03_28, updated_at 2020_02_28;)

Added 2020-02-28 20:04:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Length|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern:20,20; http_header; nocase; content:"Accept-Encoding|3a| gzip"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; content:!"Connection"; http_header; content:!"Cache-Control"; http_header; content:!"Accept|3a 20|"; http_header; content:"Cookie|3a 20|"; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?\r\n/R"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:4; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

Added 2018-09-13 19:52:27 UTC


Added 2018-09-13 18:00:50 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Length|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern:20,20; http_header; nocase; content:"Accept-Encoding|3a| gzip"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; content:!"Connection"; http_header; content:!"Cache-Control"; http_header; content:!"Accept|3a 20|"; http_header; content:"Cookie|3a 20|"; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?\r\n/R"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:4; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

Added 2017-08-07 21:17:37 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Length|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern:20,20; http_header; nocase; content:"Accept-Encoding|3a| gzip"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; content:!"Connection"; http_header; content:!"Cache-Control"; http_header; content:!"Accept|3a 20|"; http_header; content:"Cookie|3a 20|"; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?\r\n/R"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:4;)

Added 2016-03-30 20:28:25 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Length|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern:20,20; http_header; nocase; content:"Accept-Encoding|3a| gzip"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; content:!"Connection"; http_header; content:!"Cache-Control"; http_header; content:!"Accept|3a 20|"; http_header; content:"Cookie|3a 20|"; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?\r\n/R"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:4;)

Added 2016-03-30 20:14:36 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Length|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern:20,20; http_header; nocase; content:"Accept-Encoding|3a| gzip"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; content:!"Connection"; http_header; content:!"Cache-Control"; http_header; content:!"Accept|3a 20|"; http_header; content:"Cookie|3a 20|"; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?\r\n/R"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:4;)

Added 2016-03-30 18:23:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Length|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern:20,20; http_header; nocase; content:"Accept-Encoding|3a| gzip"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; content:!"Connection"; http_header; content:!"Cache-Control"; http_header; content:!"Accept|3a 20|"; http_header; content:"Cookie|3a 20|"; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?\r\n/R"; threshold:type threshold, track by_src, count 10, seconds 1; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:2;)

Added 2016-03-28 18:43:27 UTC


Topic revision: r1 - 2020-11-03 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats