From 0fcce96a175531ec6042cde1b11a0052aa261dd5 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 19:43:34 +0200
Subject: Adding upstream version 1.3.2.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 tests/rule-with-unicode.rules | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 tests/rule-with-unicode.rules

(limited to 'tests/rule-with-unicode.rules')

diff --git a/tests/rule-with-unicode.rules b/tests/rule-with-unicode.rules
new file mode 100644
index 0000000..8377f33
--- /dev/null
+++ b/tests/rule-with-unicode.rules
@@ -0,0 +1,4 @@
+# This is a file where a rule has unicode in it - the second rule.
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:trojan-activity; sid:2022649; rev:2;)
+alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN KHRAT DragonOK DNS Lookup (inter-ctrip .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|inter-ctrip|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok’s-new-custom-backdoor; classtype:trojan-activity; sid:2024108; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RealtyListings detail.asp iPro Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; reference:url,doc.emergingthreats.net/2009050; classtype:web-application-attack; sid:2009050; rev:3;)
-- 
cgit v1.2.3