Rule History

SID: 2062295 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 1 • May 13, 2025, 12:00 PM

Message:

ET HUNTING PHP Serialize Object Injection M1

Rule:

alert http any any -> $HOME_NET any (msg:"ET HUNTING PHP Serialize Object Injection M1"; flow:established,to_server; http.uri; content:".php?"; fast_pattern; pcre:"/[a-z]\x3a\x2b?\d+\x3a(?:[a-z]?\x3a\d+\x3a?\x7b?|\x22[^\x22\x3b\x7b\x7d]*\x22|\x3b|\x7d)+/i"; http.header_names; content:"|0d 0a|Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:web-application-attack; sid:2062295; rev:1; metadata:attack_target Web_Server, created_at 2025_05_13, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, tag AI_Generated_Description, updated_at 2025_05_13; target:dest_ip;)

Created:

May 13, 2025, 12:00 PM

Updated:

May 13, 2025, 12:00 PM

DB Created:

May 13, 2025, 9:34 PM

DB Updated:

Jun 16, 2025, 10:35 PM

Filename:

rules/emerging-hunting.rules