Snort mailing list archives

Re: Quick rebots sig

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 27 Aug 2012 09:15:58 -0600

On 2012-08-27 09:08, lists () packetmail net wrote:

Hey James, looking at the reference these aren't HREFs, they're 
script tags,
which tends to make more sense with what one would expect on an owned
website.
Would this be more valuable as:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY
INDICATOR-COMPROMISE /rebots.php HTTP request in URI";
flow:established,to_server; content:"/rebots.php"; http_uri;
fast_pattern:only;
reference:url,http://labs.sucuri.net/db/malware/mwjs-include-rebots;
sid:x; rev:1;)

Cheers,
Nathan



Thanks Nathan...as usual you're cleaning up my messes...the above looks 
much better than mine :)

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Quick rebots sig James Lay (Aug 24)
- Re: Quick rebots sig Joel Esler (Aug 27)
  - Re: Quick rebots sig lists () packetmail net (Aug 27)
    - Re: Quick rebots sig James Lay (Aug 27)
    - Re: Quick rebots sig lists () packetmail net (Aug 27)
    - Re: Quick rebots sig Joel Esler (Aug 27)
    - Re: Quick rebots sig James Lay (Aug 27)