Snort mailing list archives

Previous By Date Next
Previous By Thread Next

PseudoDarkleech Rule

From: el cabezon <elcabezzonn () gmail com>
Date: Thu, 25 Aug 2016 17:30:10 -0400
Hello,

First time rule submitter. I wrote this while looking at trace files
containing the injected script from the pseudodarkleech campaign on the
compromised website. Several people have indicated that hidden iframe rules
may create many fps and a content search for "position:absolute" may be
computationally expensive but I wanted to submit it anyway to get more
opinions. I tested this as much as I could but since I only have a small
home lab it was very limited. Any critiques or recommendations are welcome.
Thank you.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible
Pseudodarkleech Injection ";flow:to_client,established; file_data;
content:"position|3A|absolute";
pcre:"/=\x22position\x3aabsolute\x3b\x20top\x3a-\d{4}px\x3b\x20width\x3a\d{3}px\x3b\x20height\x3a\d{3}px/";content:"iframe
src";within:20;reference:malware-traffic-analysis.net;sid:1000000008;rev:1;)

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: