Basic Auth Base64 HTTP Password detected unencrypted

The rule detects instances of unencrypted Basic Authentication (Base64-encoded) HTTP passwords being transmitted over the network. Basic Authentication is a simple method for sending credentials (username and password) over HTTP.

Categories:

ID Number

4000130

Signature

alert tcp any any -> any 80 ( msg:"Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server;content:"|0d 0a|Authorization|3a 20|Basic"; nocase;content:!"YW5vbnltb3VzOg=="; within:32; classtype:misc-activity; rev:1; sid:4000130;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

Consider implementing HTTPS (HTTP over SSL/TLS) instead of HTTP for secure communication. HTTPS encrypts the communication between the client and server, ensuring that sensitive information, such as passwords, is encrypted and not transmitted in clear text. Authorize the Link. If the link was approved in terms of the IP addresses and ports - archive and baseline the rule. If not - check the connection and investigate the relevant IP address, check if the IP address is new on the network and if there are additional alerts related to this IP address.