Snort mailing list archives
Offer a new sig for detecting Phoenix Exploit Kit
From: rmkml <rmkml () ligfy org>
Date: Tue, 6 Sep 2016 21:12:15 +0200 (CEST)
Hi, The http://etplc.org open source project offer a new sig for detecting Phoenix Exploit Kit: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phoenix Exploit Kit geoip.php bdr param RCE attempt"; flow:to_server,established; content:"/geoip.php?bdr="; nocase; http_uri; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-application-activity; sid:1; rev:1;) See reference for more information. Don't forget check variables. Please send any comments. Regards @Rmkml ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Offer a new sig for detecting Phoenix Exploit Kit rmkml (Sep 06)