Versions (5)
Version DetailsCurrent
Rev: 6 • Jan 17, 2011, 12:00 PMET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:6; metadata:created_at 2011_01_17, performance_impact Significant, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_09;)
Jan 17, 2011, 12:00 PM
Apr 9, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 3, 2025, 8:34 PM
rules/emerging-shellcode.rules