Snort mailing list archives
Re: Quick and dirty
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Jan 2013 10:12:16 -0700
On 2013-01-30 10:00, rmkml wrote:
Hi James, Thx for sharing, Maybe add file_data ? Regards Rmkml
Good call!!! alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS Blackhole exploit kit possible email track.php?fdic"; flow:to_server,established; file_data; content:"href="; content:"http|3a 2f 2f|"; content:"track.php?fdic"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10000039; rev:2;) Thanks Rm. James ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty rmkml (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty Joel Esler (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty lists () packetmail net (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty rmkml (Jan 30)