Versions (5)
Version DetailsCurrent
Rev: 5 • Jan 17, 2011, 12:00 PMET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:5; metadata:created_at 2011_01_17, performance_impact Significant, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_09;)
Jan 17, 2011, 12:00 PM
Apr 9, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 3, 2025, 8:34 PM
rules/emerging-shellcode.rules