alert http $HOME_NET any -> any any (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:59:35 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:12;)

Added 2011-10-12 19:20:36 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; sid:2006380; rev:12;)

Added 2011-05-25 19:28:47 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006380; rev:10;)

Added 2011-02-04 17:25:19 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006380; rev:10;)

Added 2009-02-10 20:53:04 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006380; rev:10;)

Added 2009-02-10 20:53:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:10;)

Adding $EXTERNAL_NET allows "Outgoing" to be defined from a network perspective rather than a host perspective.

-- JeromyLeugers - 12 Apr 2008

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:9;)

Added 2008-01-31 18:48:07 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:9;)

Added 2008-01-31 18:48:07 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:8;)

Added 2007-10-03 22:32:20 UTC

Added leading 0d 0a to eliminate falses on proxy-auth requests

-- MattJonkman - 03 Oct 2007


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:8;)

Added 2007-10-03 22:32:20 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:7;)

Added 2007-08-29 09:46:50 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:7;)

Added 2007-08-29 05:16:37 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:7;)

Added 2007-08-29 04:03:18 UTC


alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; classtype:policy-violation; sid:2006380; rev:6;)

Added 2007-07-20 23:44:23 UTC


alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"Og=="; content:!"YW5vbnltb3VzOg=="; classtype:policy-violation; sid:2006380; rev:5;)

Added 2007-07-18 23:53:18 UTC


alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE POLICY Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"Og=="; content:!"YW5vbnltb3VzOg=="; classtype:policy-violation; sid:2006380; rev:4;)

Added 2007-07-17 23:01:36 UTC

content:!"Og=="; is a negate for ":", eliminates some falses. Some strange apps use : as a non-auth.

content:!"YW5vbnltb3VzOg=="; is Anonymous. Not a hugely interesting one either.

Matt

-- MattJonkman - 18 Jul 2007


alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE POLICY Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; classtype:policy-violation; sid:2006380; rev:3;)

Added 2007-07-07 00:45:40 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; classtype:policy-violation; sid:2006380; rev:2;)

Added 2007-07-07 00:16:21 UTC

Removing the |0d 0a| from this next version to be more accurate.

Matt

-- MattJonkman - 07 Jul 2007


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic|0d 0a|"; nocase; classtype:policy-violation; sid:2006380; rev:1;)

Added 2007-07-06 14:43:05 UTC

This will tell you when an http auth is being sent out in the clear. HTTP Auth is very simple to decrypt, so controlling this out to the world is an important thing.

-- MattJonkman - 06 Jul 2007


Topic revision: r4 - 2008-04-12 - JeromyLeugers
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats