[Snort-sigs] Russian Ebay scam rule

Matthew Jonkman matt at ...2436...
Fri Jul 16 14:05:02 EDT 2004


Here's a sig we're using to see if anyone has been compromised by the 
scam being noted in these url's (since the compromise may have occurred 
before we had rules to see the chm IE issues)

http://isc.sans.org/diary.php?date=2004-07-16
http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=142

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING_EDGE 
Russian Bank Ebay Scam Link Captured Information Submitted"; 
reference:url,spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=142; 
reference:url,isc.sans.org/diary.php?date=2004-07-16;  uricontent:"/lo
ads/post.php"; sid:2000552; rev:1;)

It's up and live in the bleeding set. Going to work up a couple for the 
Was going to do up some for other parts of the scams, but they can 
change so quickly I don't thin kit's worth it. If you see this rule hit 
you know you have a problem.

Matt




More information about the Snort-sigs mailing list