Weevely PHP Backdoor - Rule Proposal

[Anestis Bechtsoudis <bechtsoudis.a () gmail com>]

I work in the NOC team at a University Campus in Greece, and recently i
have noticed a noticeable increase in web hacking incidents. In many of
them the attackers used the weevely*1 php backdoor to maintain access to
the hacked system.

I have searched around the net for some relative snort rules but i
didn't find a match. So i decided to write my own. I thought these rules
might pose an interest to the community so i decided to share them in
this list (see the attachment).

A detailed analysis of how i concluded to these content patterns can be
found in my blog post*2.

I admit that i'm not a Snort expert, so any propositions are welcome.


*1 http://code.google.com/p/weevely/
*2 http://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/

-- 
===============================================
* Anestis Bechtsoudis                         *
* Undergraduate Student                       *
*                                             *
* Network Operation Center (NOC Group)        *
* Dept. of Computer Engineering & Informatics *
* University of Patras, Greece                *
*                                             *
* Website: https://bechtsoudis.com            *
===============================================

Attachment: web-weevely.rules
Description:

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!