Re: [Emerging-Sigs] Unusually small php puts

[Joel Esler <jesler () sourcefire com>]

I'm going to test it in our test systems James, we'll see how it goes.


On May 15, 2013, at 1:08 PM, James Lay <jlay () slave-tothe-box net> wrote:

> Last month (the 19th I think) I attending an all day security conference...it was pretty good.  One of the tell tale 
> signs of C2 traffic was small php PUT's (according to one presenter), so here's a sig for that:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Unusually small php PUT"; 
> flow:to_server,established; content:"PUT"; http_method; http_uri; urilen:<10; classtype:misc-activity; sid:10000059; 
> rev:1)
>
> Might be useful, might not.  I'm embarrassed that it took me almost a month to get to my notes 8-|
>
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!