Rule History

SID: 2610880 • Source: tgreen/hunting

Versions (2)

Version DetailsCurrent

Rev: 2 • Feb 6, 2026, 11:54 PM

Message:

TGI HUNT Possible Base64-Encoded MAC Address in Payload

Rule:

alert tcp any any -> any ![25,465,515,587,631,9100] (msg:"TGI HUNT Possible Base64-Encoded MAC Address in Payload"; content:"|36|"; content:"|36|"; distance:3; within:4; content:"|36|"; distance:3; within:4; content:"|36|"; distance:3; within:4; pcre:"/([A-Za-z0-9+\/]{2}[AEIMQUYcgk]6){4,5}/"; classtype:policy-violation; sid:2610880; rev:2;)

Created:

Feb 6, 2026, 11:54 PM

Updated:

May 7, 2026, 8:15 PM

DB Created:

Feb 7, 2026, 12:34 AM

DB Updated:

May 7, 2026, 8:35 PM

Filename:

hunting.rules