Et rule 2051963 - Magic-SigExplorer

""ET WEB_SPECIFIC_APPS ReCrystallize Server DownloadFile.aspx Abuse""

SID: 2051963

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Web_Server_Applications, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_04_09, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_09

Reference:

Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET"
Value: "/RecrystallizeServer/DownloadFile.aspx?filename|3d|" Depth: 48

Within:

PCRE: "/\/RecrystallizeServer\/DownloadFile.aspx\?filename\x3d(?:[a-z]\x3a\x5c|http|\x2f\x2f|\x5c\x5c)/Ui"

Special Options:

http_method
http_uri
fast_pattern

source