Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Low hanging fruit #2

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 13 Sep 2012 11:55:39 -0400
Thanks James, taking a look.

On Sep 12, 2012, at 5:58 PM, James Lay <jlay () slave-tothe-box net> wrote:


Yea...that was a good read on the Apache Mod issue:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE Page with YWZmaWQ9MDUyODg"; flow:to_client, 
established; file_data; content:"YWZmaWQ9MDUyODg"; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
classtype:bad-unknown; sid:10000026; 
reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; 
rev:1;)

http://blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html
http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/

Certain this rule will be exciting until they change their ways.  
Hopefully I've got the flow right..don't have a pcap to bounce it off 
of.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: