Versions (4)
Version DetailsCurrent
Rev: 1 • Nov 12, 2021, 12:00 PMET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034440; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
Nov 12, 2021, 12:00 PM
Nov 12, 2021, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 8, 2025, 9:34 PM
rules/emerging-web_server.rules