Rule History

SID: 2027818 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 3 • Aug 7, 2019, 12:00 PM

Message:

ET WEB_CLIENT XHR POST Request - Possible Form Grabber Activity

Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT XHR POST Request - Possible Form Grabber Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"info="; depth:5; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; content:"&hostname="; distance:0; fast_pattern; content:"&key="; distance:0; http.content_type; content:"application|2f|x-www-form-urlencoded"; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027818; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CardSkimmer, updated_at 2020_08_31;)

Created:

Aug 7, 2019, 12:00 PM

Updated:

Aug 31, 2020, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-web_client.rules