[Snort-sigs] does snort pick up lthe izamoon attack?

Jason Haar Jason.Haar at ...651...
Thu Mar 31 18:25:53 EDT 2011


On 04/01/2011 11:17 AM, Alex Kirk wrote:
> Detecting compromised pages should be trivial:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS lizamoon.com <http://lizamoon.com> SQL
> injection compromised page"; flow:established,to_client;
> content:"script src=http|3A 2F 2F|lizamoon.com
> <http://lizamoon.com>|2F|ur.php"; nocase; classtype:trojan-activity;)
>
Hi Alex

Not quite so trivial. For one thing they aren't using lizamoon.com any
more... For another, you are picking up users downloading from infected
sites, and I'm after picking up attacks against our webservers. I was
more asking if the existing SQL injection attack rules pick up the
thing, or if someone had weblogs of the actual attack and had written
rules to pick it up based in its behaviour beyond the hostname it points
to - as that is being rotated.

e.g.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"lizamoon SQL
injection attack"; flow:established,to_server; content:"script
src=http|3A 2F 2F|"; content:"ur.php";within:50; nocase;
classtype:web-application-attack;)

might be better - but that assumes they're not doing fiddly
urlencoding/etc. I dunno - I haven't seen it

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list