Re: PHP config and more

[James Lay <jlay () slave-tothe-box net>]

On 2013-05-07 14:15, Joel Esler wrote:
> On May 7, 2013, at 3:32 PM, James Lay <jlay () slave-tothe-box net [2]>
> wrote:
>
> > Yea kinda doubt anyone is downloading config.inc.php in an iframe:
> >
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> > (msg:"INDICATOR-COMPROMISED config.inc.php in iframe";
> > flow:from_server,established; file_data; content:"<iframe";
> > content:"config.inc.php"; within:50; fast_pattern; metadata:policy
> > balanced-ips drop, policy security-ips drop, service http;
>
> reference:url,http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html
> > [1];
> > classtype:trojan-activity; sid:10000051; rev:1;)
>
> James,
>
> With some minor modifications, this looks pretty good.
>
> I'll get it in.
>
> --
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


Thanks Joel!

James

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!