[Snort-sigs] Russian Ebay scam rule
matt at ...2436...
Fri Jul 16 14:05:02 EDT 2004
Here's a sig we're using to see if anyone has been compromised by the
scam being noted in these url's (since the compromise may have occurred
before we had rules to see the chm IE issues)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING_EDGE
Russian Bank Ebay Scam Link Captured Information Submitted";
ads/post.php"; sid:2000552; rev:1;)
It's up and live in the bleeding set. Going to work up a couple for the
Was going to do up some for other parts of the scams, but they can
change so quickly I don't thin kit's worth it. If you see this rule hit
you know you have a problem.
More information about the Snort-sigs