| IP Address | Port | Hostname | |
|---|---|---|---|
| Source | http (80) | vip1.g-anycast1.cachefly.net | |
| Destination | 52526 |
Description:
- This rule detects a specific sequence of java-script that is designed to obfuscate the content it displays.
- It is not unheard of, but rare that there are legitimate reasons to do this.
Is this a False Positive:
- NO
- URL leading to this landing page (this is a sketchy advertising network, try it a bunch of times and it will eventually land on the below content):
- This is a valid detection. See below for the page that is rendered
Actions:
- Alarm on phish attempt.
- Verify no additional IDS, Netflow, Log entries related on same asset. If there are, additional investigation required.
Comments