Snort mailing list archives
HideMeBetter – SPAM injection Variant
From: Paul Bottomley <Paul.Bottomley () betfair com>
Date: Thu, 1 Aug 2013 08:21:45 +0000
Here we go.. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; file_data; content:"if(document|2e|getElementById(|22|HideMeBetter|22|)|20 21 3d 20|null)" metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:xxxxx; rev:1;) ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- HideMeBetter – SPAM injection Variant Paul Bottomley (Aug 01)
- Re: [Snort-sigs] HideMeBetter – SPAM injection Variant Joel Esler (Aug 05)