Snort mailing list archives

Re: Webshell SIGs

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 May 2013 09:13:10 -0400

Can you capture a pcap of the traffic and send it to me?  I can take a look.  Might be a lot easier than going back and 
forth a dozen times.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On May 29, 2013, at 8:06 AM, Peter Bates <peter.bates () ucl ac uk> wrote:

Signed PGP part
Hello all (second try with spaces inserted)

There are a variety of different SIGs to spot Webshells
- - primarily PHP.

One example is 22932 - "INDICATOR-COMPROMISE c99 shell.php command request - phpinfo"

I've put up a copy of C99 and made requests towards it
(primarily the rule above just hits on "act=php info")
but get nothing - but I do get consistent hits on
SID 1882 - id check returned userid.

URL logging (on the same box as Snort) shows the traffic:

2013-05-29 11:19:47     1.2.3.4  5.6.7.8   >       GET     www.x.x   /99.php?act=php info    
ELinks/0.12~pre5-2+squeeze1 (textmode; Debian; Linux 3.2.0-0.bpo.4-amd64 x86_64; 80x24-2)       http://www.x.x/99.php 
   HTTP/1.1

HOME_NET is correctly configured, EXTERNAL_NET is 'any'.

Snort is 2.9.3.1 (yes I need to upgrade)

Is there something obvious at fault?
I'm wondering if there's a whole bunch of incoming web evil I'm missing.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Webshell SIGs Peter Bates (May 29)
- Re: Webshell SIGs waldo kitty (May 29)
- <Possible follow-ups>
- Webshell SIGs Peter Bates (May 29)
  - Re: Webshell SIGs Joel Esler (May 29)