Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Netscaler Gateway Credential Theft (POST)"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/items/accounts"; fast_pattern; http.host; content:"js"; http.accept; content:"application|2f|json|2c 20|text|2f|plain|2c 20 2a 2f 2a|"; bsize:33; http.content_type; content:"application/json"; bsize:16; reference:md5,58a7e26a7f5fa67bfd9d0faadab9f5a3; reference:url,securityintelligence.com/posts/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/; classtype:credential-theft; sid:2048476; rev:1; metadata:created_at 2023_10_06, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_06;)