Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed testcookie-nginx-module"; flow:established,to_client; http.stat_code; content:"200"; bsize:3; http.server; content:"nginx"; depth:5; file.data; content:"toNumbers"; content:"d.replace"; distance:30; content:"e.push(parseInt"; distance:30; content:"toHex"; distance:200; content:"e.toLowerCase"; distance:0; content:"toNumbers"; distance:20; content:"toNumbers"; distance:0; content:"toNumbers"; distance:0; content:"toHex(slowAES.decrypt"; distance:100; content:"<noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript>"; fast_pattern; distance:100; reference:url,github.com/kyprizel/testcookie-nginx-module; classtype:misc-activity; sid:2035554; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2023_04_28, reviewed_at 2024_10_15;)