#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7;)

Added 2011-10-12 19:31:49 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; classtype:shellcode-detect; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; sid:2011346; rev:6;)

Added 2011-09-14 22:45:10 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; classtype:shellcode-detect; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011346; rev:6;)

Added 2011-02-04 17:31:09 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape Javascript Obfuscation Attempt"; flow:established,to_client; content:"unescape("; nocase; content:"%"; within:3; content:!"google-analytics.com"; nocase; distance:0; pcre:"/unescape\x28(\x25|\x27\x25|\x22\x25)/i"; flowbits:set,ET_UNESCAPE; classtype:bad-unknown; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011346; rev:3;)

Added 2010-09-14 12:37:09 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape Javascript Obfuscation Attempt"; flow:established,to_client; content:"unescape("; nocase; content:"%"; within:3; content:!"google-analytics.com"; nocase; distance:0; pcre:"/unescape\x28(\x25|\x27\x25|\x22\x25)/i"; flowbits:set,ET_UNESCAPE; classtype:bad-unknown; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011346; rev:3;)

Added 2010-09-14 12:37:09 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape Javascript Obfuscation Attempt"; flow:established,to_client; content:"unescape("; nocase; content:"%"; within:3; content:!"google-analytics.com"; nocase; distance:0; pcre:"/unescape\x28(\x25|\x27\x25|\x22\x25)/i"; flowbits:set,ET_UNESCAPE; classtype:bad-unknown; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011346; rev:3;)

Added 2010-08-20 14:16:25 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape Javascript Obfuscation Attempt"; flow:established,to_client; content:"unescape("; nocase; content:"%"; within:3; content:!"google-analytics.com"; nocase; distance:0; pcre:"/unescape\x28(\x25|\x27\x25|\x22\x25)/i"; flowbits:set,ET_UNESCAPE; classtype:bad-unknown; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011346; rev:3;)

Added 2010-08-20 14:16:25 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape Javascript Obfuscation Attempt"; flow:established,to_client; content:"unescape("; nocase; content:"%"; within:3; content:!"google-analytics.com"; nocase; distance:0; pcre:"/unescape\x28(\x25|\x27\x25|\x22\x25)/i"; classtype:bad-unknown; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011346; rev:3;)

Added 2010-08-17 12:27:13 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape Javascript Obfuscation Attempt"; flow:established,to_client; content:"unescape("; nocase; content:"%"; within:3; content:!"google-analytics.com"; nocase; distance:0; pcre:"/unescape\x28(\x25|\x27\x25|\x22\x25)/i"; classtype:bad-unknown; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011346; rev:3;)

Added 2010-08-17 12:27:13 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Unescape Javascript Obfuscation Attempt"; flow:established,to_client; content:"unescape("; nocase; pcre:"/unescape\x28(\x25|\x27\x25)/i"; classtype:bad-unknown; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,doc.emergingthreats.net/2011346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Obfuscation; sid:2011346; rev:2;)

Added 2010-08-14 10:19:26 UTC


Topic revision: r1 - 2011-10-12 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats