253 lines
119 KiB
Plaintext
253 lines
119 KiB
Plaintext
|
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
||
|
#
|
||
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
||
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
||
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
||
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
||
|
# GNU General Public License (GPL), v2.
|
||
|
#
|
||
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
||
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
||
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
||
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
||
|
# list of third party owners and their respective copyrights.
|
||
|
#
|
||
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
||
|
# to the VRT Certified Rules License Agreement (v2.0).
|
||
|
#
|
||
|
#-----------------------------
|
||
|
# INDICATOR-OBFUSCATION RULES
|
||
|
#-----------------------------
|
||
|
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit"; flow:to_client,established; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:27875; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|7D|catch(d21vd12v)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27592; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION multiple plugin version detection attempt"; flow:to_client,established; file_data; content:"PluginDetect.getVersion"; fast_pattern:only; content:"PluginDetect.getVersion"; content:"PluginDetect.getVersion"; distance:0; content:"PluginDetect.getVersion"; distance:0; content:"PluginDetect.getVersion"; distance:0; content:!"LeadiD"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.com/2012/09/following-lead-of-suspected-blackhole2.html; classtype:attempted-recon; sid:27119; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt"; flow:to_client,established; file_data; content:"function "; content:"("; within:1; distance:1; content:"return "; within:24; distance:6; content:".substr("; within:8; distance:1; fast_pattern; content:"|3B|"; within:15; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:trojan-activity; sid:26451; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; content:".write"; content:"unescape"; fast_pattern:only; pcre:"/var\s+([^\s]+)\s*=\s*unescape\s*\x28.*?\x2ewrite\s*\x28\s*\1/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21040; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Dadongs obfuscated javascript"; flow:to_client,established; file_data; content:"(|22|dadongs=|22|)"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:misc-activity; sid:21519; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation"; flow:established,to_server; content:"CAST|28|"; nocase; isdataat:250,relative; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13791; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; content:"POST"; http_method; content:"CHAR("; nocase; http_uri; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smiU"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13989; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation"; flow:established,to_server; content:"CONVERT|28|"; nocase; isdataat:250,relative; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13987; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation"; flow:established,to_server; content:"CONCAT|28|"; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:14008; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation"; flow:established,to_server; content:"ASCII|28|"; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13988; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION select concat statement - possible sql injection"; flow:established,to_server; content:"select concat"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:19437; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack"; flow:to_client,established; content:".fromCharCode"; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/3008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15362; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt"; flow:to_client,established; content:"eval|28|"; nocase; content:"unescape|28|"; within:15; nocase; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hidden 1x1 div tag - potential malware obfuscation"; flow:to_client,established; file_data; content:"<div style=|22|overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px|3B 22|>"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19868; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION generic PHP code obfuscation attempt"; flow:established,to_server; content:"Array|28|"; content:"|20 20 20 20 2E|"; within:200; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:18493; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION malware-associated JavaScript obfuscation function"; flow:to_client,established; file_data; content:"function re|28|s,n,r,b,e|29|{if|28|s<b|7C 7C|s>e|29|return s|3B|"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-18132; classtype:trojan-activity; sid:18132; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|eva|22|+|22|l|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21578; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - charcode"; flow:to_client,established; file_data; content:"|22|c|22|+|22|h|22|+|22|ar|22|+|22|Code|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21577; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|from|22|+|22|CharCod|22|+|22|e|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21580; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharCod|22|+|22|e|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21579; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"c|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22074; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22073; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"f|00|r|00|o|00|m|00|C|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22072; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"e|00|v|00|a|00|l|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22071; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval of base64-encoded data"; flow:to_client,established; file_data; content:"eval|28|base64_decode|28|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:23018; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe"; flow:to_client,established; file_data; content:"<qwe qweqwe=|27|asd|27|/>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23088; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - push"; flow:to_client,established; file_data; content:"a|3D 27|pus|27 2B 27|h|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23086; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - xval"; flow:to_client,established; file_data; content:"q|3D|x|2B 27|v|27 2B 27|al|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23087; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - join"; flow:to_client,established; file_data; content:"b|3D 22|j|22 2B 22|o|22 2B 27|i|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23085; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern"; flow:to_client,established; file_data; content:"|3A|present>"; content:"|3A|interactive>1</"; distance:0; pcre:"/\x3c(?P<string>\w+)\x3apresent.*?\x3c(?P=string)\x3ainteractive.*?\x3c\x2f(?P=string)\x3ainteractive/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23089; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious"; flow:to_client,established; file_data; content:"GIF89a"; depth:6; nocase; content:"<?php"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2012/06/web-shell-poses-as-gif.html; reference:url,snort.org/rule_docs/1-23114; classtype:misc-activity; sid:23114; rev:10;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious"; flow:to_client,established; file_data; content:"eval|28|"; nocase; content:"gzinflate|28|"; within:25; nocase; content:"base64_decode|28|"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2012/06/web-shell-poses-as-gif.html; reference:url,snort.org/rule_docs/1-23113; classtype:misc-activity; sid:23113; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|e|22|+|22|val|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:23161; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharC|22|+|22|ode|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:23160; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript error suppression routine"; flow:to_client,established; file_data; content:"window.onerror = function|20 28 29 20 7B|return true"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:23226; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:established,to_client; file_data; content:"addEventListener|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23482; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:established,to_client; file_data; content:"setTimeout|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23481; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:10;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; content:"<script>"; fast_pattern:only; http_client_body; metadata:service http; reference:cve,2007-2865; reference:cve,2015-1653; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-036; classtype:web-application-attack; sid:21782; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; content:"escape("; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21785; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt"; flow:to_server,established; content:"%55%4e%49%4f%4e%20%53%45%4c%45%43%54"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; classtype:misc-attack; sid:21781; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; content:"|26 23|x3c|3B 26 23|x73|3B 26 23|x63|3B 26 23|x72|3B 26 23|x69|3B 26 23|x70|3B 26 23|x74|3B 26 23|x3e|3B|"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21784; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt"; flow:to_server,established; content:"%77%61%69%74%66%6f%72%20%64%65%6c%61%79"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; classtype:misc-attack; sid:21780; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; content:"%3C%73%63%72%69%70%74%3E"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21783; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; content:"|26 23|x65|3B 26 23|x73|3B 26 23|x63|3B 26 23|x61|3B 26 23|x70|3B 26 23|x65|3B 26 23|x28"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21787; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; content:"%65%73%63%61%70%65%28"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21786; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content"; flow:to_client, established; file_data; content:"<iframe "; nocase; content:"width=1"; within:50; nocase; content:"height=1"; within:80; distance:-40; nocase; content:"style=visibility|3A|hidden"; within:80; distance:-40; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.unmaskparasites.com/2009/10/28/evolution-of-hidden-iframes/; classtype:bad-unknown; sid:24168; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION document write of unescaped value with remote script"; flow:to_client,established; file_data; content:"document.write|28|unescape|28 27|%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:24167; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags"; flow:to_client,established; file_data; content:"<object "; content:"classid"; within:50; content:"<object "; within:100; content:"classid"; within:50; content:"<object "; within:100; content:"classid"; within:50; content:"<object "; within:100; content:"classid"; within:50; content:"<object "; within:100; content:"classid"; within:50; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:25060; rev:4;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION GIF header followed by PDF header"; flow:to_client,established; content:"GIF8"; depth:4; content:"a"; within:1; distance:1; content:!"HTTP"; within:500; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25451; rev:6;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DOC header followed by PDF header"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25454; rev:4;)
|
||
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION DOC header followed by PDF header"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25458; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION JPEG header followed by PDF header"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; content:"|FA FF DA 00 0C|"; within:800; content:"%PDF-"; within:224; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25457; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JPEG header followed by PDF header"; flow:to_client,established; file_data; content:"|FF D8 FF E0|"; depth:4; content:"|FA FF DA 00 0C|"; within:800; content:"%PDF-"; within:224; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25453; rev:4;)
|
||
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION PNG header followed by PDF header"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25456; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION PNG header followed by PDF header"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:!"HTTP"; within:500; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25452; rev:6;)
|
||
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION GIF header followed by PDF header"; flow:to_server,established; file_data; content:"GIF8"; depth:4; content:"a"; within:1; distance:1; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25455; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection"; flow:to_client,established; file_data; content:"|22|doc|22 2B 22|ument|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:25592; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION non-alphanumeric javascript detected"; flow:to_server,established; content:"+!![]"; content:"+!![]"; distance:0; content:"+!![]"; distance:0; content:"+!![]"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,patriciopalladino.com/blog/2012/08/09/non-alphanumeric-javascript.html; classtype:attempted-user; sid:23831; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION non-alphanumeric javascript detected"; flow:to_client,established; file_data; content:"+!![]"; content:"+!![]"; distance:0; content:"+!![]"; distance:0; content:"+!![]"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,patriciopalladino.com/blog/2012/08/09/non-alphanumeric-javascript.html; classtype:attempted-user; sid:23832; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; content:"GET"; http_method; content:"CHAR("; nocase; http_uri; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smiU"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:25783; rev:3;)
|
||
|
# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-OBFUSCATION DNS tunneling attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00 1A|"; depth:9; offset:4; content:"|1A|"; within:1; distance:26; content:"|02|"; within:2; distance:26; metadata:service dns; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:25983; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages"; flow:to_client,established; file_data; content:"|22|f|22|+|22|ro|22|+|22|mCh|22|+|22|arCode|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26092; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION String.fromCharCode concatenation"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harCode|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26101; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits"; flow:to_client,established; file_data; content:"|88 54 68 25 DA 20 70 FE C5 67 72 ED C3 20 63 ED C6 6E 6F F8 88 62 65 AC DA 75 6E AC BF 6E 20 10 E6 53 20 E1 C5 64 65 FA A3 0D 0A E8 A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26352; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript uuencoded eval statement"; flow:to_client,established; content:"unescape"; nocase; content:"%u0065"; distance:0; nocase; content:"%u0076"; distance:0; nocase; content:"%u0061"; distance:0; nocase; content:"%u006c"; distance:0; nocase; pcre:"/unescape\s*\x28[\x22\x27]\s*\x25u0065\s*\x25u0076\s*\x25u0061\s*\x25u006c/i"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19075; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected"; flow:to_client,established; file_data; content:">var "; nocase; content:"='="; within:3; distance:3; content:"var _0x"; distance:0; pcre:"/var [OIl]{3}='=[a-z0-9+=\/]+'\;var (?P<var>_0x[a-f0-9]+).*?(?:[lIO]+|data)\[(?P=var)\[\d+\]\]/ims"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:26440; rev:4;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected"; flow:to_client,established; file_data; content:"<!-- Obfuscated by www.myobfuscate.com -->"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:26441; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval of base64-encoded data"; flow:to_client,established; file_data; content:"eval|28|base64.decode|28|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26568; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"JXU0MTQxJXU0MTQxJXU0MTQx"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26565; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"NDE0MSV1NDE0MSV1NDE0"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26566; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"dTQxNDEldTQxNDEldTQxNDEK"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26567; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript indexOf rename attempt"; flow:to_client,established; file_data; content:"indexOf"; fast_pattern:only; pcre:"/=\s*[\x22\x27]indexOf[\x22\x27]\s*\x3b/"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:misc-activity; sid:26616; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript substr rename attempt"; flow:to_client,established; file_data; content:"substr"; fast_pattern:only; pcre:"/=\s*[\x22\x27]?substr[\x22\x27]?\s*\x3b/"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:misc-activity; sid:26615; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"{|5C|object"; fast_pattern; nocase; content:"{|5C|doccom"; distance:0; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:26620; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"{|5C|object"; fast_pattern; nocase; content:"{|5C|doccom"; distance:0; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:26619; rev:4;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|g|22|+|22|e|22|+|22|tEleme|22|+|22|nts|22|+|22|ByTagName|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:27074; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|getEl|22|+|22|eme|22|+|22|ntsByTagName"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:27073; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval large block of fromCharCode"; flow:to_client,established; file_data; content:"eval|28|"; nocase; pcre:"/([A-Z\d]+)\s*=\s*([\x22\x27])(\d{1,3},){50}.*?\2.{1,50}\1\s*=\s*eval\x28/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:27259; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval large block of fromCharCode"; flow:to_client,established; file_data; content:"eval|28|"; nocase; content:"String.fromCharCode|28|"; within:23; distance:1; nocase; pcre:"/([A-Z\d]+)\s*=\s*([\x22\x27])(\d{1,3},){50}.*?\2.{1,50}\1\s*=\s*eval\x28[\x22\x27]String\.fromCharCode\x28[\x22\x27]\x2B?\1/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:27258; rev:2;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harC|22|+|22|o|22|+|22|de|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:27272; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split"; flow:to_client,established; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:27593; rev:4;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|s|22|+|22|p|22|+|22|li|22|+|22|t|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27736; rev:6;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage"; flow:to_client,established; file_data; content:"|22|d|22|+|22|o|22|+|22|c|22|+|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27735; rev:6;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27920; rev:6;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|S|22|+|22|tr|22|+|22|ing|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:28025; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"[ps](|22|,|22|))|3B|ss=String|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:28024; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"ps=|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28023; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"aq=|22|0x|22 3B|ff=String|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28346; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"ps=|22|split|22 3B|asd=function()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28345; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation"; flow:established,to_server; content:"GET"; http_method; content:"CHR("; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:28344; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"+=String.fromCharCode(eval("; content:"gif=eval|3B|gif("; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28422; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|fr|22|+|22|omCh|22|+|22|arCo|22|+|22|de|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28421; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|c|22|+|22|r|22 3A|2+|22|e|22|+|22|a|22|+|22|t|22|+|22|e|22|+|22|E|22|+|22|l|22|+|22|e|22|+|22|m|22|+((f)?|22|e|22|+|22|n|22|+|22|t|22 3A 22 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28420; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|28 22|mCharCode|22 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28812; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|s|22 20 22|p|22 20 22|li|22 20 22|t|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28811; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"document[|22 5C|x62od|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28941; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit"; flow:to_client,established; file_data; content:"s|27|+|27|t|27|+|27|y|27|+|27|l|27|+|27|e|27|+|27|=|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:29190; rev:3;)
|
||
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential math library debugging"; flow:to_client,established; file_data; content:"Math.atan2|28|0x"; content:"Math."; distance:0; content:"|28|0x"; within:8; content:"Math."; distance:0; content:"|28|0x"; within:8; content:"Math."; distance:0; content:"|28|0x"; within:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2013/10/ie-zero-day-cve-2013-3897-youve-been.html; classtype:trojan-activity; sid:29213; rev:5;)
|
||
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Multiple character encodings detected"; flow:established,to_server; file_data; content:"unescape"; content:"String.fromCharCode"; content:".split"; content:").toString"; content:".reverse()"; content:".join(|22 22|)"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:29510; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt"; flow:to_client,established; content:"<object"; nocase; content:"classid="; nocase; content:"|3B 26 23|"; within:36; fast_pattern; pcre:"/classid=\s*[\x22\x27]\s*[A-Za-z\:\{-]{0,42}((\x26\x23\d{2,3}\x3B){2}[^\x22\x27]{0,35}){5}/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:29813; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Alternating character encodings - JS array"; flow:to_client,established; file_data; content:"|22 5C 5C|u00"; nocase; content:"|22 2C 20 22|"; within:4; distance:2; content:"|22 2C 20 22 5C 5C|u00"; within:9; distance:1; pcre:"/\x22\x5c\x5cu00[0-9a-f]{2}\x22\x2c\s\x22\w\x22\x2c\s\x22\x5c\x5cu00[0-9a-f]{2}/i"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:29807; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Alternating character encodings - JS variable"; flow:to_client,established; file_data; content:"var "; nocase; content:"|5C|x00"; within:50; fast_pattern; nocase; content:"|5C|u00"; within:4; distance:2; nocase; content:"|5C|x00"; within:4; distance:2; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:29745; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|bin"; fast_pattern; nocase; content:"|5C|bin"; within:15; nocase; content:"|5C|bin"; within:15; nocase; content:"|5C|bin"; within:15; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0158; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:30328; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|bin"; fast_pattern; nocase; content:"|5C|bin"; within:15; nocase; content:"|5C|bin"; within:15; nocase; content:"|5C|bin"; within:15; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:30327; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript variable obfuscation"; flow:to_client,established; file_data; content:"|22 2B 22 22 2B 22 22 2B 22 22 2B 22 22 2B 22|"; content:"|22 2B 22 22 2B 22 22 2B 22 22 2B 22 22 2B 22|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:32355; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known malicious javascript packer detected"; flow:to_client,established; file_data; content:"=|22|1|22 3B|"; content:"=unescape|3B|"; within:25; nocase; content:"=|22|1|22 3B|"; within:25; content:"=eval|3B|"; within:25; nocase; content:"=|22|1|22 7D|"; within:25; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:34118; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Multiple AV products evasion attempt"; flow:to_server,established; file_data; content:"|1F 8B|"; depth:2; content:"|00 00 1F 8B|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-1461; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:34227; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Multiple AV products evasion attempt"; flow:to_client,established; file_data; content:"|1F 8B|"; depth:2; content:"|00 00 1F 8B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1461; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:34226; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join"; flow:to_client,established; content:".split(|22 22|).reverse().join(|22 22|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:29519; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Multiple character encodings detected"; flow:established,to_client; file_data; content:"unescape"; content:"String.fromCharCode"; content:".split"; content:").toString"; content:".reverse()"; content:".join(|22 22|)"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:29509; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated script encoding detected"; flow:to_client,established; file_data; content:"script"; nocase; content:"language"; within:50; nocase; content:"|3B 26 23|"; within:20; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:28630; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated script encoding detected"; flow:to_client,established; file_data; content:"script"; nocase; content:"language"; within:50; nocase; content:"JScript.Encode"; within:50; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:28629; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected"; flow:established,to_client; file_data; content:"String.fromCharCode"; fast_pattern:only; pcre:"/charCodeAt\s*\x28\s*?i\s*?\x29\s*?\x5e\s*?(?P<var>[^\s]+?)\.charCodeAt\s*?\x28\s*?i\s*?\x25\s*?(?P=var)/si"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:26596; rev:10;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript hex character extraction routine detected"; flow:established,to_client; file_data; content:"String.fromCharCode"; fast_pattern:only; pcre:"/String\x2efromCharCode\s*\x28[^\x29]*parseInt\s*\x28[^\x29]*substring\s*\x28\s*([^,]+)\s*,\s*\1\s*\+\s*2/si"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:26595; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; content:".write"; content:"unescape"; pcre:"/\x2ewrite\s*\x28\s*unescape\s*\x28/smi"; content:"%"; distance:0; content:"%"; within:1; distance:2; content:"%"; within:1; distance:2; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21039; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected"; flow:to_client,established; content:"String.fromCharCode"; fast_pattern:only; pcre:"/String\x2efromCharCode\s*\x28[^\x29]*0x[0-9a-f]{2}\s*,[^\x29]*,\s*0[0-7]{1,3}\s*,[^\x29]*,\s*[1-9][0-9]{0,2}\s*,/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21038; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION randomized javascript encodings detected"; flow:to_client,established; file_data; content:"script"; content:"%u"; pcre:"/%u[0-1][0-9a-f]{2}[^\x29]*%u[0-1][0-9a-f]{2}[^\x29]*%u[0-1][0-9a-f]{2}[^\x29]*%u[0-1][0-9a-f]{2}/"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21037; rev:11;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION standard ASCII encoded with UTF-8 possible evasion detected"; flow:to_client,established; content:"charset"; nocase; http_header; content:"utf-8"; fast_pattern:only; http_header; pcre:"/charset\s*=\s*utf-8/smiH"; file_data; pcre:"/([\xc0-\xc1][\x80-\xbf]){10}/"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:20276; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u0a0a%u0a0a"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:20137; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded data object found"; flow:to_client,established; file_data; content:"data"; nocase; content:"text/html"; within:20; nocase; content:"base64"; within:20; fast_pattern; nocase; pcre:"/data\s*\x3a\s*text\x2fhtml\s*\x3b\s*base64\s*,/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:19889; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; file_data; content:".write"; content:"unescape"; fast_pattern:only; pcre:"/var\s+([^\s]+)\s*=\s*unescape\s*\x28.*?\x2ewrite\s*\x28\s*\1/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:19888; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; file_data; content:".write"; content:"unescape"; pcre:"/\x2ewrite\s*\x28\s*unescape\s*\x28/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:19887; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected"; flow:to_client,established; file_data; content:"String.fromCharCode"; fast_pattern:only; pcre:"/String\x2efromCharCode\s*\x28[^\x29]*0x[0-9a-f]{2}\s*,[^\x29]*,\s*0[0-7]{1,3}\s*,[^\x29]*,\s*[1-9][0-9]{0,2}\s*,/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:19884; rev:10;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION randomized javascript encodings detected"; flow:to_client,established; file_data; content:"script"; content:"%u"; pcre:"/%u[0-9a-f]{2}[^\x29]*%[0-9a-f]{2}[^\x29]*%u[0-9a-f]{2}[^\x29]*%[0-9a-f]{2}/"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:19867; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known suspicious decryption routine"; flow:to_client,established; file_data; content:".length|3B|i++"; content:"+= String.fromCharCode("; within:102; content:".charCodeAt(i)"; within:102; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19081; rev:15;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript uuencoded noop sled attempt"; flow:to_client,established; content:"unescape"; nocase; content:"%u9090%u9090"; distance:0; nocase; pcre:"/unescape\s*\x28[\x22\x27]\s*\x25u9090\x25u9090/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19074; rev:11;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known malicious JavaScript decryption routine"; flow:to_client,established; file_data; content:"location.search.substring|28|1|29|"; nocase; content:".charCodeAt|28|"; within:200; content:".length|29|"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:18239; rev:11;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rename of javascript unescape function detected"; flow:to_client,established; file_data; content:"unescape |3B|"; nocase; content:"="; within:2; distance:-12; content:!"AVG_Unescape"; within:12; distance:-14; pcre:"/var[^=]+?=\s?unescape\s?\x3b/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:17400; rev:17;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded uri data object found"; flow:to_client,established; file_data; content:"base64"; pcre:"/<\s*object[^>]*?data\s*\x3A[^,>]*?base64/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:17291; rev:10;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known JavaScript obfuscation routine"; flow:to_client,established; content:"String.fromCharCode|28|parseInt"; content:"String.fromCharCode|28|"; within:1000; content:".charCodeAt|28|"; within:100; content:".replace"; within:100; pcre:"/\.replace\x28\x2F[^\x2F]+\x2F[A-Z]*\x2C(\x22\x22|\x27\x27)/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:17111; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rename of javascript unescape function detected"; flow:to_client,established; file_data; content:"unescape|3B|"; nocase; content:"="; within:2; distance:-11; content:!"AVG_Unescape"; within:12; distance:-14; pcre:"/var[^=]+?=\s?unescape\s?\x3b/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:15697; rev:13;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution"; flow:to_client,established; file_data; content:"IFRAME"; fast_pattern:only; pcre:"/\x3c\s*IFRAME\s*[^\x3e]*src=(\x22|\x27\|)javascript\x3a/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13544; reference:bugtraq,30560; reference:cve,2005-1476; reference:cve,2008-2939; reference:nessus,18243; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:3679; rev:18;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Javascript stealth executable download attempt"; flow:to_server,established; file_data; content:"addEventListener"; nocase; content:"DOMContentLoaded"; within:20; nocase; content:"onclick"; within:100; nocase; content:"application/x-msdownload"; distance:0; nocase; content:"saveAs"; within:30; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.mrg-effitas.com/wp-content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf; classtype:trojan-activity; sid:35738; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript stealth executable download attempt"; flow:to_client,established; file_data; content:"addEventListener"; nocase; content:"DOMContentLoaded"; within:20; nocase; content:"onclick"; within:100; nocase; content:"application/x-msdownload"; distance:0; nocase; content:"saveAs"; within:30; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.mrg-effitas.com/wp-content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf; classtype:trojan-activity; sid:35737; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"SecureSwfLoader|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:36036; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join attempt"; flow:to_server,established; content:".split(|22 22|).reverse().join(|22 22|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:36070; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"Protected by secureSWF"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:37729; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"allowLoadBytesCodeExecution"; fast_pattern:only; content:"|FF 15|"; byte_test:4,>,1024,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3113; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:attempted-user; sid:37728; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION obfuscated script encoding detected"; flow:to_server,established; file_data; content:"script"; nocase; content:"language"; within:50; nocase; content:"|3B 26 23|"; within:20; fast_pattern; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37972; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION obfuscated script encoding detected"; flow:to_server,established; file_data; content:"script"; nocase; content:"language"; within:50; nocase; content:"JScript.Encode"; within:50; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37971; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION email of heavily compressed PDF attempt"; flow:to_server,established; file_data; content:"pdf:Producer>Neevia PDFcompress"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37950; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION download of heavily compressed PDF attempt"; flow:to_client,established; file_data; content:"pdf:Producer>Neevia PDFcompress"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37949; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION known malicious JavaScript decryption routine"; flow:to_server,established; file_data; content:"location.search.substring|28|1|29|"; nocase; content:".charCodeAt|28|"; within:200; content:".length|29|"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:37948; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known javascript packer detected"; flow:to_client,established; file_data; content:"eval|28|function|28|p,a,c,k,e,"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37909; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript with hex variable names"; flow:to_client,established; file_data; content:"var _0x"; content:"=[|22 5C|x"; within:8; distance:3; content:"|5C|x"; within:2; distance:2; content:"|5C|x"; within:2; distance:2; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37908; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript unicode escape variable name attempt"; flow:to_client,established; file_data; content:"var |5C|u00"; content:"|5C|u00"; within:5; distance:2; content:"|5C|u00"; within:5; distance:2; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37907; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript known obfuscation method attempt"; flow:to_client,established; file_data; content:"|24|=~[]|3B 24|={___|3A|++|24|,|24 24 24 24 3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37906; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript charset concatentation attempt"; flow:to_client,established; file_data; content:"charset=|5C 22|iso-8859-1|5C 22|>|22|.concat|28|d|28 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37905; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt"; flow:to_client,established; file_data; content:"|22|charAt|22|,|22|indexOf|22|,|22|fromCharCode|22|,|22|length|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37904; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt"; flow:to_client,established; file_data; content:"[String.fromCharCode,isNaN,parseInt,String]|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37903; rev:2;)
|
||
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-OBFUSCATION DNS tunneling attempt"; flow:to_server,no_stream; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; isdataat:80,relative; content:"|00 0A 00 01|"; within:15; distance:80; fast_pattern; detection_filter:track by_src, count 25, seconds 1; metadata:service dns; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:37892; rev:3;)
|
||
|
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DNS tunneling attempt"; flow:to_client,no_stream; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 07 06|(){}[]"; fast_pattern; content:"|00 0A 00 01|"; within:4; distance:-17; detection_filter:track by_src, count 25, seconds 1; metadata:service dns; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:37891; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Javascript obfuscation double unescape"; flow:to_server,established; file_data; content:"unescape(unescape("; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:38105; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation double unescape"; flow:to_client,established; file_data; content:"unescape(unescape("; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:38104; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected"; flow:to_client,established; file_data; content:"<script language="; nocase; content:"|26 23|"; within:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.w3.org/TR/html4/sgml/entities.html; classtype:misc-activity; sid:38251; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected"; flow:to_client,established; file_data; content:"CLASSID="; nocase; content:"|26 23|"; within:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.w3.org/TR/html4/sgml/entities.html; classtype:misc-activity; sid:38250; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt"; flow:to_client,established; content:"-Encoding:"; fast_pattern; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-27; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-16; nocase; http_header; content:!"chunked"; within:13; nocase; http_header; content:"|0D 0A|"; within:4; distance:-21; http_header; content:"-Encoding:"; distance:19; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-27; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-16; nocase; http_header; content:!"chunked"; within:13; nocase; http_header; content:"|0D 0A|"; within:4; distance:-21; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38341; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt"; flow:to_client,established; content:"-Encoding"; fast_pattern; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-26; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-15; nocase; http_header; content:"|2C|"; within:50; http_header; pcre:"/(Transfer|Content)-Encoding\s*:[^\r]*?(\x2c|\r\n\x20[^\r]*?\x2c)/Hmi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38340; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt"; flow:to_client,established; content:"-Encoding"; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-26; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-15; nocase; http_header; content:!"|3A| "; within:2; http_header; pcre:"/(Transfer|Content)-Encoding\s*?:[^\r]*?([\x2c\x0d\x00]|\r\n\x20[^\r]*?[\x2c\x0d\x00])(?!\x0a)/Hmi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38337; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt"; flow:to_client,established; content:"-Encoding"; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-27; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-16; nocase; http_header; content:"|0D 0A|"; within:4; distance:-20; http_header; content:"|3A 3A|"; within:10; distance:16; http_header; pcre:"/\r\n(Transfer|Content)-Encoding\s*?\x3a\x3a/iH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38332; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt"; flow:to_client,established; content:"Content-Encoding"; fast_pattern:only; http_header; pcre:"/^Content-Encoding\s*:\s{2,}[a-z0-9\-]{2}/imH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38369; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt"; flow:to_client,established; content:"Content-Encoding"; fast_pattern:only; http_header; pcre:"/Content-Encoding\s*:\s*[a-z0-9-]{2,}\s*[\x00\x0b\x0c,]/imH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38368; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt"; flow:to_client,established; content:"Content-Encoding"; fast_pattern; nocase; http_header; content:"gzip"; within:50; nocase; http_header; content:"|1F 8B 08|"; within:500; byte_test:1,&,4,0,relative; content:!"|00 00|"; within:2; distance:7; byte_extract:2,7,esize,relative,little; isdataat:esize,relative; content:!"|00|"; within:2; distance:esize; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38394; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION newline only separator evasion"; flow:to_client,established; content:"Content-Encoding"; fast_pattern:only; pcre:"/:[\x20-\x7e]*\nContent-Encoding/H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38541; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt"; flow:to_client,established; content:"HTTP/"; depth:5; fast_pattern; nocase; content:!"0.9 "; within:4; content:!"1.0 "; within:4; content:!"1.1 "; within:4; content:!"2.0 "; within:4; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38595; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION newline only separator evasion"; flow:to_client,established; content:"|0A|Transfer-Encoding"; depth:18; nocase; http_stat_code; content:!"|0D 0A|"; within:2; distance:-19; http_stat_code; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38618; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION carriage return only separator evasion"; flow:to_client,established; content:"|0D|Transfer-Encoding"; depth:18; nocase; http_stat_code; content:!"|0D 0A|"; within:2; distance:-19; http_stat_code; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38617; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION carriage return only separator evasion"; flow:to_client,established; content:"|0D|Transfer-Encoding"; nocase; http_stat_msg; content:!"|0D 0A|"; within:2; distance:-19; http_stat_msg; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38616; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION newline only separator evasion"; flow:to_client,established; content:"|0A|Transfer-Encoding:"; nocase; http_header; content:!"|0D 0A|"; within:2; distance:-20; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38615; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION carriage return only separator evasion"; flow:to_client,established; content:"|0D|Content-Encoding:"; nocase; http_header; content:!"|0D 0A|"; within:2; distance:-19; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38614; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt"; flow:to_client,established; content:"HTTP/"; depth:5; fast_pattern; nocase; content:!"HTTP/"; within:5; distance:-5; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38602; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt"; flow:to_client,established; content:"HTTP/"; depth:5; nocase; content:"Content-Length:"; nocase; content:!"|0D 0A 0D 0A|"; within:6; pcre:"/^Content-Length:\s*?\d+?\x20*?(\n{2}|\n\r+\n|\r?\n\t|\r?\n\x0b)/im"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38601; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt"; flow:to_client,established; content:"HTTP/1.1 6"; depth:10; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38600; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt"; flow:to_client,established; content:"HTTP/1.1 10"; depth:12; fast_pattern; nocase; content:"HTTP/1.1 20"; within:200; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38599; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION invalid HTTP header evasion attempt"; flow:to_client,established; content:"HTTP|5C|"; depth:5; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38598; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header null byte evasion attempt"; flow:to_client,established; content:"Transfer"; nocase; http_header; content:"|00|"; within:20; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38597; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header null byte evasion attempt"; flow:to_client,established; content:"Content"; nocase; http_header; content:"|00|"; within:20; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38596; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt"; flow:to_client,established; content:"Content-Encoding"; fast_pattern; nocase; http_header; content:"deflate"; within:10; nocase; http_header; content:!"DEFLATE"; within:7; distance:-7; http_header; content:!"deflate"; within:7; distance:-7; http_header; content:!"Deflate"; within:7; distance:-7; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38667; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt"; flow:to_client,established; content:"HTTP/1."; depth:7; fast_pattern; nocase; content:"|0D 0A|"; http_header; content:"|0D 0A|"; within:40; http_header; content:!"|3A|"; within:30; distance:-30; http_header; pcre:"/\r\n[^:\r\n]{2,}?\r\n(?!\r\n)/iH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38666; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt"; flow:to_client,established; content:"301"; http_stat_code; content:!"Location:"; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38642; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid header line evasion attempt"; flow:to_client,established; content:"|0D 0A|"; http_header; content:"|0D 0A|"; within:15; http_header; pcre:"/\r\n[\x20\t]*?[:\x20]+?[\w\d-_]*?\r\n/Hi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38641; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt"; flow:to_client,established; content:"HTTP/1.1 "; depth:9; nocase; pcre:"/^HTTP\/1\.1 (?!\d{3}\x20)(([\d\w]+?|\d\d?|\d{4,})\x20)/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38637; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header value without key evasion attempt"; flow:to_client,established; content:"|0D 0A|:"; http_header; content:"|0D 0A|"; within:15; http_header; pcre:"/^:[^\r\n]+?\r\n/imH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38734; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt"; flow:to_client,established; content:"HTTP/"; depth:5; content:!"1.1 "; within:4; content:!"1.0 "; within:4; content:"|3A|"; http_header; pcre:"/^[^\r\n:]+?:[^\r\n:]/imH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38679; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION UTF-8 evasion attempt"; flow:to_client,established; content:"|C2|"; fast_pattern:only; http_header; content:"|C2|"; http_raw_header; byte_test:1,>=,0x80,0,relative; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38678; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION UTF-8 evasion attempt"; flow:to_client,established; content:"|C3|"; fast_pattern:only; http_header; content:"|C3|"; http_raw_header; byte_test:1,>=,0x80,0,relative; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38677; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Brotli encoding evasion attempt"; flow:to_client,established; content:"-encoding"; fast_pattern; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-27; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-16; http_header; content:"br"; within:10; nocase; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38922; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt"; flow:to_client,established; content:"-encoding"; nocase; http_header; content:"gzip"; within:15; nocase; http_header; content:"|0D 0A 0D 0A 1F 8B 08|"; fast_pattern; byte_test:1,&,2,0,relative; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:39323; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt"; flow:to_client,established; content:"-encoding"; fast_pattern; nocase; http_header; content:"gzip"; within:20; nocase; http_header; content:"|0D 0A 0D 0A 1F 8B 08|"; byte_test:1,&,224,0,relative; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:39321; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt"; flow:to_client,established; content:"HTTP/1.1 200"; depth:12; nocase; content:!"OK"; within:3; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:39320; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack"; flow:to_client,established; content:".fromCharCode"; nocase; pcre:"/\.fromCharCode\s*\x28[^\x29]*,\s*[1-9][^\x29]*,\s*0[^\x29]*,\s*0x/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:39490; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack"; flow:to_client,established; file_data; content:".fromCharCode"; nocase; pcre:"/\.fromCharCode\s*\x28[^\x29]*,\s*[1-9][^\x29]*,\s*0[^\x29]*,\s*0x/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:39489; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack"; flow:to_client,established; file_data; content:".fromCharCode"; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/3008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:39488; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt."; flow:to_client,established; content:"HTTP/"; depth:5; nocase; content:!"1.1 "; within:4; content:"-Encoding"; nocase; http_header; content:!"Content-Transfer-Encoding"; within:25; distance:-25; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-15; nocase; http_header; content:"Chunked"; within:30; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:40250; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt"; flow:to_client,established; file_data; content:"Content-"; nocase; http_header; content:"rfc822"; within:50; nocase; http_header; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41714; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header"; flow:to_client,established; content:"Content-Encoding: gzip"; fast_pattern:only; http_header; content:!"Content-Length: "; nocase; http_header; content:!"Transfer-Encoding: "; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:42017; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode"; flow:to_client,established; file_data; content:"dHJpbmcuZnJvbUNoYXJDb2Rl"; content:"atob|28|"; content:"eval|28|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42111; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated vbscript detected"; flow:to_client,established; file_data; content:"<script"; content:"type"; within:5; content:"javascript"; within:20; content:"base64decode"; within:30; content:"base64DecodeChars"; within:50; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43708; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated vbscript detected"; flow:to_client,established; file_data; content:"<script"; content:"type"; within:5; content:"VBScript"; within:20; content:"Encode"; within:20; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43707; rev:2;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call"; flow:to_client,established; file_data; content:"136.134.149.102.141.134.142.134.143.149.148.99.154.117.130.136.111.130.142.134"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:43256; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt"; flow:to_client,established; pkt_data; content:"|76 D6 34 AF 55 71 F5 74 76 0C D2 05 00 E3 98 C2 BB 22 00 00 00|STANDARD-ANTIVIRUS"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43216; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"%3Cscript%20type%3D%22text%2Fvbscript%22%3E"; fast_pattern:only; content:"document.write"; nocase; content:"unescape"; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42950; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt"; flow:to_client,established; file_data; content:"unescape"; nocase; content:"%64%6f%63%75%6d%65%6e%74"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42949; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt"; flow:to_client,established; file_data; content:"nbencode"; nocase; content:"|5C|x73|5C|x70|5C|x6C|5C|x69|5C|x74"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42948; rev:2;)
|
||
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt"; flow:to_client,established; file_data; content:"function String.prototype.r|28 29|{"; fast_pattern:only; content:".r|28 29|"; content:".r|28 29|"; distance:0; content:".r|28 29|"; distance:0; content:".r|28 29|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.virustotal.com/en/file/2307751251a87df5ae2838e83f79ecb8d3acc74ef25ae06d59ab1ac3ca6589fd/analysis/1495021248/; classtype:misc-activity; sid:42947; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt"; flow:to_client,established; file_data; content:"|5C|x76|5C|x61|5C|x6C|5C|x75|5C|x65|5C|x4F|5C|x66"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42946; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript regex"; flow:to_client,established; file_data; content:"*/RegExp/*"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43837; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Adobe Flash file packed with SecureSwf obfuscator"; flow:to_client,established; file_data; content:"_--_--"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43836; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF obfuscation string"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C 7D 5C 5C 5C 2D 5C 2B 5C 25 5C 5C 5C 5C 5C 25 5C 7B 5C 7D 5C 2B 5C 7D 5C 25 5C 2B 5C 7D 7D|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:43990; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION newlines embedded in rtf header"; flow:to_client,established; file_data; flowbits:isset,file.rtf; content:"{|5C|rt|0A 0A 0A|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:43989; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt"; flow:to_client,established; file_data; content:"getXMLHttpRequest"; fast_pattern:only; content:"reverse"; nocase; content:"join"; within:20; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:44172; rev:2;)
|
||
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt"; flow:to_server,established; content:"|22 3B 40|eval|28 24|"; fast_pattern:only; http_client_body; pcre:"/^\x24\w+=\x22\x5c(142|x62)\x5c(141|x61)\x5c(163|x73)\x5c(145|x65)\x5c(66|x36)\x5c(64|x34)\x5c(137|x5f)\x5c(144|x64)\x5c(145|x65)\x5c(143|x63)\x5c(157|x6f)\x5c(144|x64)\x5c(145|x65)\x22\x3b\x40eval\x28\x24/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,fopo.com.ar; classtype:misc-attack; sid:44235; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt"; flow:to_client,established; file_data; content:"GetEncoding"; nocase; content:"GetString"; within:100; nocase; content:"FromBase64String"; within:100; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:44615; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt"; flow:to_server,established; file_data; content:"decodeURIComponent"; fast_pattern:only; content:"function"; nocase; content:"function"; within:50; nocase; content:"split"; within:200; content:"charCodeAt"; within:200; content:"push"; within:200; content:"charAt"; within:200; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:44693; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt"; flow:to_client,established; file_data; content:"decodeURIComponent"; fast_pattern:only; content:"function"; nocase; content:"function"; within:50; nocase; content:"split"; within:200; content:"charCodeAt"; within:200; content:"push"; within:200; content:"charAt"; within:200; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:44692; rev:2;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected "; flow:to_client,established; content:"|5C|x63|5C|x6F|5C|x69|5C|x6E|5C|x68|5C|x69|5C|x76|5C|x65"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:45810; rev:1;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected "; flow:to_client,established; content:"C|3A|//"; content:"C|3A|//"; within:30; content:"C|3A|//"; within:30; content:"C|3A|//"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:45809; rev:1;)
|
||
|
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DNS TXT response record tunneling"; flow:to_client; dsize:>300; content:"|00 10 00 01 00 00 00 00 01 00 FF|"; fast_pattern:only; detection_filter:track by_src, count 25, seconds 1; metadata:ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity; sid:47639; rev:1;)
|
||
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET ![20,21] (msg:"INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt"; flow:to_server,established; content:"STOR "; depth:5; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity; sid:47402; rev:1;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt"; icode:0; content:"HTTP/"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity; sid:47401; rev:1;)
|
||
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; nocase; content:"|5C|hlsrc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48306; rev:1;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt"; flow:to_client, established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; nocase; content:"|5C|hlsrc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48305; rev:1;)
|
||
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; nocase; content:"|5C 27|"; within:100; content:"|5C 27|"; within:25; content:"|5C 27|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48304; rev:1;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt"; flow:to_client, established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; nocase; content:"|5C 27|"; within:100; content:"|5C 27|"; within:25; content:"|5C 27|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48303; rev:1;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt"; flow:to_server,established; file_data; content:"href"; nocase; content:"http"; within:30; nocase; content:"̴"; within:200; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,thehackernews.com/2019/01/phishing-zero-width-spaces.html; classtype:misc-activity; sid:48864; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt"; flow:to_client,established; file_data; content:"href"; nocase; content:"http"; within:30; nocase; content:"ʌ"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1192; reference:url,thehackernews.com/2019/01/phishing-zero-width-spaces.html; classtype:misc-activity; sid:48863; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt"; flow:to_server,established; file_data; content:"href"; nocase; content:"http"; within:30; nocase; content:"ʌ"; within:200; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,thehackernews.com/2019/01/phishing-zero-width-spaces.html; classtype:misc-activity; sid:48862; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt"; flow:to_client,established; file_data; content:"href"; nocase; content:"http"; within:30; nocase; content:"̴"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1192; reference:url,thehackernews.com/2019/01/phishing-zero-width-spaces.html; classtype:misc-activity; sid:48861; rev:2;)
|