Et rule 2049906 - Magic-SigExplorer

SID: 2049906

Revision: 1

Class Type: attempted-admin

Metadata: attack_target Client_Endpoint, created_at 2024_01_04, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2024_01_04

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "POST"
Value: "/oauth/multilogin" Depth: 17
Value: "Host|3a 20|accounts.google.com|0d 0a|"
Value: "Authorization|3a 20|MultiBearer|20|"
Value: "Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"
Value: "|0d 0a|Accept|3a 20|"
Value: !"Referer"

Within:

PCRE:

Special Options:

http_method
http_uri
fast_pattern
http_header
http_header
http_header
http_header
http_header

source

""ET EXPLOIT Possible Google Cookie Token Manipulation Activity""