Snort mailing list archives
PHP config and more
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 07 May 2013 13:32:12 -0600
Yea kinda doubt anyone is downloading config.inc.php in an iframe: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISED config.inc.php in iframe"; flow:from_server,established; file_data; content:"<iframe"; content:"config.inc.php"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:10000051; rev:1;) Could be wrong though ;) Comments and hints to make this better/useful are always welcome. James ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PHP config and more James Lay (May 07)
- Re: PHP config and more Joel Esler (May 07)
- Re: PHP config and more James Lay (May 08)
- Re: PHP config and more Joel Esler (May 07)