Skip to content

Instantly share code, notes, and snippets.

@fox-srt
Created February 21, 2023 12:54
Show Gist options
  • Save fox-srt/5df012e6e780ba85897f457308c5c940 to your computer and use it in GitHub Desktop.
Save fox-srt/5df012e6e780ba85897f457308c5c940 to your computer and use it in GitHub Desktop.
Snort & Suricata signatures for Godzilla Web shell variant and SimpleHTTPServerWithUpload
# Detection for Godzilla webshell variant and SimpleHTTPServerWithUpload
alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - Python SimpleHTTPServerWithUpload Observed"; flow:established, from_server; content:"Server: SimpleHTTPWithUpload/"; http_header; threshold: type limit, track by_dst, count 1, seconds 600; classtype:bad-unknown; metadata:created_at 2023-01-06; priority:2; sid:21004337; rev:1;)
alert tcp any any -> any any (msg:"FOX-SRT - IOC - Godzilla Variant ZK Web Shell Request Observed"; flow:established, to_server; content:"/zkau/jquery"; http_uri; threshold:type limit, track by_dst, count 1, seconds 600; flowbits:set, fox.zkau.webshell; classtype:trojan-activity; metadata:created_at 2023-01-09; priority:3; sid:21004344; rev:1;)
alert tcp any any -> any any (msg:"FOX-SRT - Webshell - Godzilla Variant ZK Web Shell Response Observed"; flow:established, from_server; flowbits:isset, fox.zkau.webshell; content:"200"; http_stat_code; threshold:type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; metadata:created_at 2023-01-09; priority:1; sid:21004345; rev:1;)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment