Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING WASM RWX Page Memory Allocation - Common Shellcode Precursor"; flow:established,to_client; http.response_body; content:"uint8array|28 5b|"; nocase; pcre:"/^0(?:x00|o0)?\x2c\x20+?(?:97|0(?:x61|o141))\x2c\x20+?(?:115|0(?:x73|o163))\x2c\x20+?(?:109|0(?:x6[dD]|o155))\x2c\x20+?(?:1|0(?:x01|o1))(?:\x2c\x20+?(?:0|0(?:x00|o0))){3}\x2c\x20+?(?:1|0(?:x01|o1))/R"; content:"|3d 20|new|20|webassembly|2e|module|28|wasmcode|29 3b|"; nocase; content:"|3d 20|new|20|webassembly|2e|instance"; nocase; content:"|3d 20|wasm|5f|instance|2e|exports|2e|"; nocase; fast_pattern; classtype:misc-activity; sid:2065593; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_10_30, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_03; target:dest_ip;)