# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #----------------------------- # INDICATOR-OBFUSCATION RULES #----------------------------- # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit"; flow:to_client,established; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:27875; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|7D|catch(d21vd12v)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27592; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION multiple plugin version detection attempt"; flow:to_client,established; file_data; content:"PluginDetect.getVersion"; fast_pattern:only; content:"PluginDetect.getVersion"; content:"PluginDetect.getVersion"; distance:0; content:"PluginDetect.getVersion"; distance:0; content:"PluginDetect.getVersion"; distance:0; content:!"LeadiD"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.com/2012/09/following-lead-of-suspected-blackhole2.html; classtype:attempted-recon; sid:27119; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt"; flow:to_client,established; file_data; content:"function "; content:"("; within:1; distance:1; content:"return "; within:24; distance:6; content:".substr("; within:8; distance:1; fast_pattern; content:"|3B|"; within:15; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:trojan-activity; sid:26451; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; content:".write"; content:"unescape"; fast_pattern:only; pcre:"/var\s+([^\s]+)\s*=\s*unescape\s*\x28.*?\x2ewrite\s*\x28\s*\1/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21040; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Dadongs obfuscated javascript"; flow:to_client,established; file_data; content:"(|22|dadongs=|22|)"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:misc-activity; sid:21519; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation"; flow:established,to_server; content:"CAST|28|"; nocase; isdataat:250,relative; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13791; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; content:"POST"; http_method; content:"CHAR("; nocase; http_uri; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smiU"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13989; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation"; flow:established,to_server; content:"CONVERT|28|"; nocase; isdataat:250,relative; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13987; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation"; flow:established,to_server; content:"CONCAT|28|"; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:14008; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation"; flow:established,to_server; content:"ASCII|28|"; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13988; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION select concat statement - possible sql injection"; flow:established,to_server; content:"select concat"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:19437; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack"; flow:to_client,established; content:".fromCharCode"; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/3008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15362; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt"; flow:to_client,established; content:"eval|28|"; nocase; content:"unescape|28|"; within:15; nocase; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hidden 1x1 div tag - potential malware obfuscation"; flow:to_client,established; file_data; content:"
"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19868; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION generic PHP code obfuscation attempt"; flow:established,to_server; content:"Array|28|"; content:"|20 20 20 20 2E|"; within:200; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:18493; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION malware-associated JavaScript obfuscation function"; flow:to_client,established; file_data; content:"function re|28|s,n,r,b,e|29|{if|28|se|29|return s|3B|"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-18132; classtype:trojan-activity; sid:18132; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|eva|22|+|22|l|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21578; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - charcode"; flow:to_client,established; file_data; content:"|22|c|22|+|22|h|22|+|22|ar|22|+|22|Code|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21577; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|from|22|+|22|CharCod|22|+|22|e|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21580; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharCod|22|+|22|e|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21579; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"c|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22074; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22073; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"f|00|r|00|o|00|m|00|C|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22072; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"e|00|v|00|a|00|l|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22071; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval of base64-encoded data"; flow:to_client,established; file_data; content:"eval|28|base64_decode|28|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:23018; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe"; flow:to_client,established; file_data; content:""; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23088; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - push"; flow:to_client,established; file_data; content:"a|3D 27|pus|27 2B 27|h|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23086; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - xval"; flow:to_client,established; file_data; content:"q|3D|x|2B 27|v|27 2B 27|al|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23087; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - join"; flow:to_client,established; file_data; content:"b|3D 22|j|22 2B 22|o|22 2B 27|i|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23085; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern"; flow:to_client,established; file_data; content:"|3A|present>"; content:"|3A|interactive>1\w+)\x3apresent.*?\x3c(?P=string)\x3ainteractive.*?\x3c\x2f(?P=string)\x3ainteractive/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23089; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious"; flow:to_client,established; file_data; content:"GIF89a"; depth:6; nocase; content:" $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious"; flow:to_client,established; file_data; content:"eval|28|"; nocase; content:"gzinflate|28|"; within:25; nocase; content:"base64_decode|28|"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2012/06/web-shell-poses-as-gif.html; reference:url,snort.org/rule_docs/1-23113; classtype:misc-activity; sid:23113; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|e|22|+|22|val|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:23161; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharC|22|+|22|ode|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:23160; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript error suppression routine"; flow:to_client,established; file_data; content:"window.onerror = function|20 28 29 20 7B|return true"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:23226; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:established,to_client; file_data; content:"addEventListener|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23482; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:established,to_client; file_data; content:"setTimeout|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23481; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; content:"