Snort mailing list archives

Unusually small php puts

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 15 May 2013 11:08:50 -0600

Last month (the 19th I think) I attending an all day security 
conference...it was pretty good.  One of the tell tale signs of C2 
traffic was small php PUT's (according to one presenter), so here's a 
sig for that:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Unusually small php PUT"; flow:to_server,established; content:"PUT"; 
http_method; http_uri; urilen:<10; classtype:misc-activity; 
sid:10000059; rev:1)

Might be useful, might not.  I'm embarrassed that it took me almost a 
month to get to my notes 8-|

James

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Unusually small php puts James Lay (May 15)
- Re: [Emerging-Sigs] Unusually small php puts Joel Esler (May 16)
  - Re: [Emerging-Sigs] Unusually small php puts James Lay (May 16)
    - Re: [Emerging-Sigs] Unusually small php puts Joel Esler (May 16)
  - Re: [Emerging-Sigs] Unusually small php puts Joel Esler (Jun 10)
    - Re: [Emerging-Sigs] Unusually small php puts James Lay (Jun 10)