[Snort-sigs] does snort pick up lthe izamoon attack?

Alex Kirk akirk at ...435...
Thu Mar 31 18:17:07 EDT 2011


Detecting compromised pages should be trivial:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS
lizamoon.com SQL injection compromised page"; flow:established,to_client;
content:"script src=http|3A 2F 2F|lizamoon.com|2F|ur.php"; nocase;
classtype:trojan-activity;)

We can toss that into an upcoming SEU, given its growing prevalence.

On Thu, Mar 31, 2011 at 6:08 PM, Jason Haar <Jason.Haar at ...651...>wrote:

> Hi there
>
> As you are all no doubt aware, the "lizamoon" SQL injection attack has
> already hacked over 380,000 urls. Does anyone know if snort picks it via
> one of it's existing rules, and if not, has anyone written one?
>
> Thanks
>
>
> http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself;
> WebMatrix provides all the features you need to develop and
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110331/d63c178f/attachment.html>


More information about the Snort-sigs mailing list