Et rule 2045281 - Magic-SigExplorer

""ET CURRENT_EVENTS Generic Credential Phish Landing Page from Text Scam M3 2023-05-01""

SID: 2045281

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2023_05_01, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_01

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET"
Value: "/dir.php?url=YUhSMGNITTZMeTlzWVhjdWFtRnJibVYwTG0xNUxtbGtMM0J5YjNSbFkzUXRlVzkxY25ObGJHWXRabkp2YlMxdVpYUm1iR2w0TFhOallXMXpMV2x1YzJsbmFIUnpMV1p5YjIwdFlTMXNZWGN0WVhSMGIzSnVaWGt2"

Within:

PCRE:

Special Options:

http_method
http_uri

source