-
Notifications
You must be signed in to change notification settings - Fork 26
/
http-post.yara
29 lines (27 loc) · 1.08 KB
/
http-post.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
rule http_post : medium {
meta:
pledge = "inet"
description = "submits content to websites"
hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e"
hash_2023_0xShell_adminer = "2fd7e6d8f987b243ab1839249551f62adce19704c47d3d0c8dd9e57ea5b9c6b3"
hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb"
strings:
$POST = "POST"
$h_HTTP = "HTTP"
$http = "http"
$http_content = "Content-Type"
condition:
$POST and any of ($h*)
}
rule form_data_reference : medium {
meta:
description = "submits form content to websites"
hash_2019_restclient_payload = "97b4859cd7ff37977e76079c1b2dbe80adcbe80893afc6fb9876cac8d2373d10"
hash_2019_spec_payload_spec = "fe743cdfe68aa357cf60fc55704e20d49fd713038878dca427a47285b4bfa493"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
strings:
$f_content_dispo_name = "Content-Disposition: form-data; name="
$f_multipart = "multipart/form-data; boundary="
condition:
any of ($f_*)
}