[Snort-sigs] Has a rule been created for this?

evilghost at ...3397... evilghost at ...3397...
Tue Apr 13 12:58:38 EDT 2010


AFAIK Snort doesn't decode multipart/form-data so I don't think you can 
do something like:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Suspicious 
PHP File Upload, L0oZuRpAnTz"; flow:established,to_server; 
content:"POST"; http_method; content:"<?php"; nocase; 
content:"/*L0oZuRpAnTz*/"; 
content:"array(\"DuMb\",\"DuMbEr\",\"DuMbEsT\")\;"; 
classtype:bad-unknown; 
reference:url,forums.devnetwork.net/viewtopic.php%3Ff%3D34%26t%3D88942; 
sid:2010xxx; rev:1;)

Be curious to see what the SF folks do or come up with.

-evilghost

Adam Richards wrote:
> Correct.
>
> Adam Richards,CISSP | CEH
>
>
> -----Original Message-----
> From: evilghost at ...3397... [mailto:evilghost at ...3397...] 
> Sent: Tuesday, April 13, 2010 11:40 AM
> To: Adam Richards
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Has a rule been created for this?
>
> PHP is server-side, what behavior were you wanting to alert on 
> specifically? Best I can figure you want to detect on upload of this 
> file to an HTTPd, correct?
>
> -evilghost
>
> Adam Richards wrote:
>   
>> I have been seeing this obfuscated php file around a lot lately and I
>> wasn't sure if there was a rule yet for it. There are a few unique
>> strings in it that we can look for. 
>>
>>     
> http://webcache.googleusercontent.com/search?q=cache:MyKUomVp7rQJ:forums
>   
> .devnetwork.net/viewtopic.php%3Ff%3D34%26t%3D88942+L0oZuRpAnTz&cd=1&hl=e
>   
>> n&ct=clnk&gl=us
>>
>>
>> Adam Richards,CISSP | CEH
>>
>>
>>
>>     
> ------------------------------------------------------------------------
> ------
>   
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>   
>>     
>
>   




More information about the Snort-sigs mailing list