Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Godzilla Webshell Interaction Attempt"; flow:established,to_server; http.method; content:"POST"; http.accept_lang; bsize:59; content:"zh-CN,zh|3b|q=0.8,zh-TW|3b|q=0.7,zh-HK|3b|q=0.5,en-US|3b|q=0.3,en|3b|q=0.2"; fast_pattern; http.request_body; content:"pass="; startswith; reference:url,www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html; classtype:trojan-activity; sid:2055652; rev:1; metadata:affected_product Apache_Tomcat, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_08_30, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_08_30; target:dest_ip;)