Snort mailing list archives
PseudoDarkleech Rule
From: el cabezon <elcabezzonn () gmail com>
Date: Thu, 25 Aug 2016 17:30:10 -0400
Hello, First time rule submitter. I wrote this while looking at trace files containing the injected script from the pseudodarkleech campaign on the compromised website. Several people have indicated that hidden iframe rules may create many fps and a content search for "position:absolute" may be computationally expensive but I wanted to submit it anyway to get more opinions. I tested this as much as I could but since I only have a small home lab it was very limited. Any critiques or recommendations are welcome. Thank you. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible Pseudodarkleech Injection ";flow:to_client,established; file_data; content:"position|3A|absolute"; pcre:"/=\x22position\x3aabsolute\x3b\x20top\x3a-\d{4}px\x3b\x20width\x3a\d{3}px\x3b\x20height\x3a\d{3}px/";content:"iframe src";within:20;reference:malware-traffic-analysis.net;sid:1000000008;rev:1;)
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PseudoDarkleech Rule el cabezon (Aug 25)