Snort mailing list archives
Re: Webshell SIGs
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 May 2013 09:13:10 -0400
Can you capture a pcap of the traffic and send it to me? I can take a look. Might be a lot easier than going back and forth a dozen times. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On May 29, 2013, at 8:06 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
Signed PGP part Hello all (second try with spaces inserted) There are a variety of different SIGs to spot Webshells - - primarily PHP. One example is 22932 - "INDICATOR-COMPROMISE c99 shell.php command request - phpinfo" I've put up a copy of C99 and made requests towards it (primarily the rule above just hits on "act=php info") but get nothing - but I do get consistent hits on SID 1882 - id check returned userid. URL logging (on the same box as Snort) shows the traffic: 2013-05-29 11:19:47 1.2.3.4 5.6.7.8 > GET www.x.x /99.php?act=php info ELinks/0.12~pre5-2+squeeze1 (textmode; Debian; Linux 3.2.0-0.bpo.4-amd64 x86_64; 80x24-2) http://www.x.x/99.php HTTP/1.1 HOME_NET is correctly configured, EXTERNAL_NET is 'any'. Snort is 2.9.3.1 (yes I need to upgrade) Is there something obvious at fault? I'm wondering if there's a whole bunch of incoming web evil I'm missing. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Webshell SIGs Peter Bates (May 29)
- Re: Webshell SIGs waldo kitty (May 29)
- <Possible follow-ups>
- Webshell SIGs Peter Bates (May 29)
- Re: Webshell SIGs Joel Esler (May 29)