Et rule 2045624 - Magic-SigExplorer

""ET ATTACK_RESPONSE MrRobot LYON Admin Panel Inbound""

SID: 2045624

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2023_05_09, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2023_05_09

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "|3c|title|3e|Login|3c 2f|title|3e|"
Value: "class|3d 22|card|2d|title|20|text|2d|center|22 3e|Panel|20|Login|3c 2f|div|3e|"
Value: "method|3d 22|post|22 20|action|3d 22|user|2e|php|22 3e|"
Value: "id|3d 22|exampleInputPassword1|22 20|name|3d 22|password|22 20|placeholder|3d 22|Password|22 3e|"
Value: "|3c|input|20|type|3d 22|submit|22 20|name|3d 22|login|22 20|value|3d 22|Sign|20|in|22 20|class|3d 22|btn|20|btn|2d|primary|20|btn|2d|block|22 2f 3e|"

Within:

PCRE:

Special Options:

file_data

source