Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic 000webhost Phish 2018-09-27"; flow:established,to_client; flowbits:isset,ET.000webhostpost; http.stat_code; content:"200"; file.data; content:"{|22|FormResponse|22 3a 20|{|22|success|22 3a 20|true,|20 22|redirect|22 3a 20 22|"; depth:48; nocase; fast_pattern; pcre:"/^(?:https?\x3a\/\/)?(?:www\.)?(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba|ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)|u(?:s(?:bank|aa|ps)|ps)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)|yahoo(?:mail)?|1(?:26|63)|keybank|qq)\.com|i(?:n(?:t(?:ertekgroup\.org|uit\.com)|vestorjunkie\.com|g\.(?:be|nl))|c(?:icibank\.com|scards\.nl)|mpots\.gouv\.fr|rs\.gov)|c(?:(?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel)\.com|om(?:mbank\.com\.au|cast\.net)|redit-agricole\.fr)|b(?:a(?:nkofamerica\.com|rclays\.co\.uk)|(?:igpond|t)\.com|luewin\.ch)|o(?:(?:utlook|ffice)\.com|range\.(?:co\.uk|fr)|nline\.hmrc\.gov\.uk)|s(?:(?:(?:aatchiar|untrus)t|c)\.com|ecure\.lcl\.fr|parkasse\.de)|h(?:a(?:lifax(?:-online)?\.co\.uk|waiiantel\.net)|otmail\.com)|p(?:(?:rimelocation|aypal)\.com|ostbank\.de)|l(?:i(?:nkedin|ve)\.com|abanquepostale\.fr)|we(?:llsfargo\.com|stpac\.co\.nz)|etisalat\.ae)\/?/Ri"; classtype:credential-theft; sid:2052143; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, confidence Medium, signature_severity Critical, tag Phishing, updated_at 2024_04_18, former_sid 2832846, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)