#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:trojan-activity; sid:2017271; rev:3; metadata:created_at 2013_08_02, updated_at 2013_08_02;)

Added 2020-02-26 20:42:08 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:trojan-activity; sid:2017271; rev:3; metadata:created_at 2013_08_02, updated_at 2013_08_02;)

Added 2018-09-13 19:47:28 UTC


Added 2018-09-13 17:57:55 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:trojan-activity; sid:2017271; rev:3; metadata:created_at 2013_08_02, updated_at 2013_08_02;)

Added 2017-08-07 21:11:09 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:trojan-activity; sid:2017271; rev:2;)

Added 2013-08-02 21:19:10 UTC


Topic revision: r1 - 2020-02-27 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats