EmergingThreats> Main Web>2006402 (2007-10-03, MattJonkman) EditAttach

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; http_header; nocase; content:!"YW5vbnltb3VzOg=="; http_header; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_28;)

Added 2020-08-28 18:15:25 UTC

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; http_header; nocase; content:!"YW5vbnltb3VzOg=="; http_header; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:12; metadata:created_at 2010_07_30, updated_at 2019_03_18;)

Added 2019-03-18 18:28:52 UTC

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; http_header; nocase; content:!"YW5vbnltb3VzOg=="; within:32; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-09-13 19:39:12 UTC

Added 2018-09-13 17:53:30 UTC

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:59:36 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:9;)

Added 2011-10-12 19:20:39 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; sid:2006402; rev:9;)

Added 2011-09-14 22:34:12 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006402; rev:9;)

Added 2011-08-01 23:05:47 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006402; rev:8;)

Added 2011-05-25 19:28:47 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006402; rev:6;)

Added 2011-02-04 17:25:20 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006402; rev:6;)

Added 2009-02-10 20:53:04 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006402; rev:6;)

Added 2009-02-10 20:53:04 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006402; rev:5;)

Added 2008-01-31 18:48:07 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006402; rev:5;)

Added 2008-01-31 18:48:07 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006402; rev:4;)

Added 2007-10-03 22:32:20 UTC

Added leading 0d 0a to eliminate falses on proxy-auth requests

-- MattJonkman - 03 Oct 2007

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006402; rev:4;)

Added 2007-10-03 22:32:20 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006402; rev:3;)

Added 2007-08-29 09:46:50 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006402; rev:3;)

Added 2007-08-29 05:16:37 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006402; rev:3;)

Added 2007-08-29 04:03:18 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; classtype:policy-violation; sid:2006402; rev:2;)

Added 2007-07-20 23:44:23 UTC

Here's another one that popped up today: dXNlcm5hbWU6cGFzc3dvcmQ=

"username:password"

Jonathan Scheidell

-- MattJonkman - 21 Jul 2007

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; content:!"Og=="; content:!"YW5vbnltb3VzOg=="; classtype:policy-violation; sid:2006402; rev:1;)

Added 2007-07-18 23:53:18 UTC

This is a reverse of the existing rule to detect INCOMING http auth sessions being served by your servers.

-- MattJonkman - 19 Jul 2007

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2007-10-03 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats