alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Chmod Usage in URI (Outbound)"; flow:to_server,established; content:"chmod"; fast_pattern; nocase; http_uri; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/URi"; content:!"&launchmode="; http_uri; content:!"/chmod/"; http_uri; content:!"searchmod"; http_uri; classtype:attempted-admin; sid:2029216; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_31, updated_at 2019_12_31;)

Added 2019-12-31 19:14:18 UTC


Topic revision: r1 - 2020-01-01 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats