Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] HideMeBetter – SPAM injection Variant

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Aug 2013 10:15:15 -0400
So Paul, Sorry for taking a while to get back to you.

A couple comments here.

#1 -- You only need file_data once.  It comes before the content matches in
the file_data buffer.  which you used correctly, but you only need it once
in the rule if you aren't backing out of that buffer at anytime (which you
aren't in this rule)
#2 -- You forgot a semi colon behind the big content match, no biggie.
#3 -- Don't forget to remove "http://"; in the url reference.

Otherwise Committed this morning.


On Thu, Aug 1, 2013 at 4:21 AM, Paul Bottomley
<Paul.Bottomley () betfair com>wrote:


 Here we go..****

** **

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HideMeBetter
spam injection variant"; flow:to_client,established; file_data;
content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; file_data;
content:"if(document|2e|getElementById(|22|HideMeBetter|22|)|20 21 3d
20|null)" metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; reference:url,
http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html;
classtype:trojan-activity; sid:xxxxx; rev:1;)****

* *

** **

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!





-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: