Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Quick and dirty

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Jan 2013 10:12:16 -0700
On 2013-01-30 10:00, rmkml wrote:

Hi James,
Thx for sharing,
Maybe add file_data ?
Regards
Rmkml



Good call!!!

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
Blackhole exploit kit possible email track.php?fdic"; 
flow:to_server,established; file_data; content:"href="; content:"http|3a 
2f 2f|"; content:"track.php?fdic"; within:50; metadata:policy 
balanced-ips drop, policy security-ips drop, service smtp; 
classtype:trojan-activity; sid:10000039; rev:2;)

Thanks Rm.

James

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: