alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Websocket Credential Phish Sep 15 2017"; flow:to_server,established; content:"GET"; http_method; content:"&transport=websocket&sid="; http_uri; fast_pattern; content:"Sec-WebSocket-Version|3a 20|13|0d 0a|"; http_header; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate"; http_header; content:"Sec-WebSocket-Key|3a 20|"; http_header; content:"connect.sid="; http_cookie; content:"io="; http_cookie; content:"Upgrade|3a 20|websocket"; http_header; content:"origin|3a 20|"; http_header; pcre:"/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign\-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/HRi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025001; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_09_14, updated_at 2020_02_13;)

Added 2020-02-13 19:11:45 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Websocket Credential Phish Sep 15 2017"; flow:to_server,established; content:"GET"; content:"&transport=websocket&sid="; http_uri; fast_pattern; content:"Sec-WebSocket-Version|3a 20|13|0d 0a|"; http_header; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate"; http_header; content:"Sec-WebSocket-Key|3a 20|"; http_header; content:"connect.sid="; http_cookie; content:"io="; http_cookie; content:"Upgrade|3a 20|websocket"; http_header; content:"origin|3a 20|"; http_header; pcre:"/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign\-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/HRi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_09_14, updated_at 2017_11_16;)

Added 2017-11-16 16:21:55 UTC


Topic revision: r1 - 2020-02-14 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats