Snort mailing list archives
Re: Multiple signatures 023
From: Matthew Mickel <mmickel () sourcefire com>
Date: Tue, 12 Feb 2019 08:33:19 -0500
Hi, Yaser- Thanks for your submissions. We will test the rules and get back to you once we’ve finished. Any PCAPs that you can provide are greatly appreciated. Thank you! Best, Matt Mickel
On Feb 12, 2019, at 7:07 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: # -------------------- # Title: Threat Actor “Magecart”: Coming to an eCommerce Store Near You # Reference: https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/ <https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/> # Tests: NA # Yara: NA # ClamAV: NA # Hashes: NA # Notes: Not sure if this is "good" detection, too many assumptions. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/customer_notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000514; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/appointment/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000515; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/AvisVerifies/dialog/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000516; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/pdffree/Product/pdfsave/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000517; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/ajax/Showroom/submit/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000518; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/netgocust/Gwishlist/updategwishlist/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000519; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/CustomGrid/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000520; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/simplebundle/Cart/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000521; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/layaway/view/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000522; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/multidealpro/index/edit/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000523; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/credit/withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:800024; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/Blcg_Column_Renderer_index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000525; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/tabshome/index/ajax/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000526; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/Blcg/Column/Renderer/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000527; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000528; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/aheadmetrics/auth/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000529; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/gwishlist/Gwishlist/updategwishlist/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000530; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/credit_withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000531; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000532; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/emaildirect/abandoned/restore/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000533; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000534; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/bssreorderproduct/list/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000535; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/advancedreports/chart/tunnel/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000536; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/minifilterproducts/index/ajax/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000537; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/ajaxproducts/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000538; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/qquoteadv/download/downloadCustomOption/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000539; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/freegift/cart/gurlgift/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000540; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/madecache/varnish/esi/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000541; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/customer/notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000542; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/prescription/Prescription/amendQuoteItemQty/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000543; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Multiple signatures 023 Y M via Snort-sigs (Feb 12)
- Re: Multiple signatures 023 Matthew Mickel (Feb 12)