""ET WEB_CLIENT Zimbra zauthtoken Value Extraction Script Requested (Inbound)""
SID: 2050658
Revision: 1
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2024_02_01, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_02_01
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "Content-Type|3a 20|application/x-javascript"
-
Value: "fetch|28 27|/public/authorize.jsp|27 29|"
-
Value: "|63 6f 6e 73 74 20 6d 61 74 63 68 20 3d 20 64 61 74 61 2e 6d 61 74 63 68 28 2f 6e 61 6d 65 3d 22 7a 61 75 74 68 74 6f 6b 65 6e 22 20 76 61 6c 75 65 3d 22 28 5b 5e 22 5d 2b 29 22 2f 29 3b|"
-
Value: "|2f 2f 20|Post the zauthtoken value to your PHP script"
Within:
PCRE:
Special Options:
-
nocase
-
http_header
-
file_data
-
fast_pattern