alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO - Applet Tag In Edwards Packed JavaScript?"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern:only; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:5;)

Added 2016-11-21 18:30:15 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript?"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern:only; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:4;)

Added 2015-11-12 15:59:25 UTC

There's a false positive on an old prototype.js version, it matches on "|applet|". Don't know if it's an issue in newer versions but I got it from this url http://www.restaurangakademien.se/ra/wp-content/themes/restaurangakademien/scripts/prototype.1.6.1.0.js

-- MattiasFliesberg - 2016-08-25


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript?"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2015708; rev:2;)

Added 2012-09-17 19:48:03 UTC


Topic revision: r2 - 2016-08-25 - MattiasFliesberg
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats