Snort mailing list archives
Re: [Emerging-Sigs] Unusually small php puts
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 10 Jun 2013 08:25:24 -0400
James, I ran this in our test systems for a couple weeks, and while it did alert, it didn't alert on anything that wasn't benign traffic. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On May 16, 2013, at 2:37 PM, Joel Esler <jesler () sourcefire com> wrote:
I'm going to test it in our test systems James, we'll see how it goes. On May 15, 2013, at 1:08 PM, James Lay <jlay () slave-tothe-box net> wrote:Last month (the 19th I think) I attending an all day security conference...it was pretty good. One of the tell tale signs of C2 traffic was small php PUT's (according to one presenter), so here's a sig for that: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Unusually small php PUT"; flow:to_server,established; content:"PUT"; http_method; http_uri; urilen:<10; classtype:misc-activity; sid:10000059; rev:1) Might be useful, might not. I'm embarrassed that it took me almost a month to get to my notes 8-| James _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unusually small php puts James Lay (May 15)
- Re: [Emerging-Sigs] Unusually small php puts Joel Esler (May 16)
- Re: [Emerging-Sigs] Unusually small php puts James Lay (May 16)
- Re: [Emerging-Sigs] Unusually small php puts Joel Esler (May 16)
- Re: [Emerging-Sigs] Unusually small php puts Joel Esler (Jun 10)
- Re: [Emerging-Sigs] Unusually small php puts James Lay (Jun 10)
- Re: [Emerging-Sigs] Unusually small php puts James Lay (May 16)
- Re: [Emerging-Sigs] Unusually small php puts Joel Esler (May 16)