New by Will metcalf, to detect phpproxy sites. If you’re not familiar, these are used to evade content filtering, etc.

#by Will Metcalf. These will detect a php proxy/anonymizer/content control evasion site in use
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE POLICY PHP Anonymizing/Evasion Proxy In Use”; flow: to_server,established; content:”GET “; depth: 4; uricontent:”/index.php?q=”;
nocase; pcre:”/index.php.q=(uggc|jjj|http|www|aHR0c|d3d3)/Ui”; reference:url,en.wikipedia.org/wiki/RapidShare; classtype:policy-violation; sid:2006410; rev:1;)

Matt

This entry was posted on Thursday, July 19th, 2007 at 3:57 am and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.