Snort mailing list archives
Low hanging fruit #2
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 12 Sep 2012 15:58:57 -0600
Yea...that was a good read on the Apache Mod issue: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Page with YWZmaWQ9MDUyODg"; flow:to_client, established; file_data; content:"YWZmaWQ9MDUyODg"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:10000026; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; rev:1;) http://blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/ Certain this rule will be exciting until they change their ways. Hopefully I've got the flow right..don't have a pcap to bounce it off of. James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Low hanging fruit #2 James Lay (Sep 12)
- Re: Low hanging fruit #2 Joel Esler (Sep 13)
- Re: Low hanging fruit #2 James Lay (Sep 13)
- Re: Low hanging fruit #2 Joel Esler (Sep 13)
- Re: Low hanging fruit #2 James Lay (Sep 13)
- Re: Low hanging fruit #2 Joel Esler (Sep 13)