Et rule 2047787 - Magic-SigExplorer

""ET INFO Base64 Encoded zip-compressed File in HTML Body (Mime Type)""

SID: 2047787

Revision: 2

Class Type: misc-activity

Metadata: attack_target Client_Endpoint, created_at 2023_08_28, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Informational, tag HTML_Smuggling, updated_at 2023_10_06, reviewed_at 2023_10_06, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "|3c|html"
Value: "data|3a|application|2f|x|2d|zip|2d|compressed|3b|base64|2c|"

Within:

PCRE:

Special Options:

file_data
fast_pattern

source