Et rule 2033048 - Magic-SigExplorer

""ET CURRENT_EVENTS Possible Phishing Landing Page 2021-05-24""

SID: 2033048

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Any, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, signature_severity Critical, tag Phishing, updated_at 2021_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

Value: "|0d 0a|Content-Type|3a 20|text/html"
Value: "2|0a|" Depth: 8
Value: "|26 23|47700|3b 26 23|51068|3b 20 26 23|49444|3b 26 23|51221|3b 20 7c 20 26 23|51060|3b 26 23|47700|3b 26 23|51068|3b 20 26 23|50629|3b 26 23|44536|3b 26 23|47112|3b 26 23|51060|3b 26 23|46300|3b|"
Value: "<form method=|22|post|22 20|action=|22|post.php|22|"

Within:

PCRE:

Special Options:

http_header
file_data
fast_pattern

source