[Snort-sigs] does snort pick up lthe izamoon attack?

Joel Esler jesler at ...435...
Thu Mar 31 18:26:48 EDT 2011


Might be interesting either way. To see if one of your users was browsing to a compromised site, but also interesting to see an outbound one ($HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any) to see if one of your sites was compromised.



-- 
Joel Esler
http://blog.snort.org | http://vrt-blog.snort.org
Twitter: http://twitter.com/snort

On Thursday, March 31, 2011 at 6:17 PM, Alex Kirk wrote: 
> Detecting compromised pages should be trivial:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS lizamoon.com SQL injection compromised page"; flow:established,to_client; content:"script src=http|3A 2F 2F|lizamoon.com|2F|ur.php"; nocase; classtype:trojan-activity;) 
> 
> We can toss that into an upcoming SEU, given its growing prevalence.
> 
> On Thu, Mar 31, 2011 at 6:08 PM, Jason Haar <Jason.Haar at ...651...> wrote:
> > Hi there
> > 
> >  As you are all no doubt aware, the "lizamoon" SQL injection attack has
> >  already hacked over 380,000 urls. Does anyone know if snort picks it via
> >  one of it's existing rules, and if not, has anyone written one?
> > 
> >  Thanks
> > 
> > http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx
> > 
> >  --
> >  Cheers
> > 
> >  Jason Haar
> >  Information Security Manager, Trimble Navigation Ltd.
> >  Phone: +64 3 9635 377 Fax: +64 3 9635 417
> >  PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> > 
> > 
> >  ------------------------------------------------------------------------------
> >  Create and publish websites with WebMatrix
> >  Use the most popular FREE web apps or write code yourself;
> >  WebMatrix provides all the features you need to develop and
> >  publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> >  _______________________________________________
> >  Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> > 
> 
> 
> -- 
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...435...
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself; 
> WebMatrix provides all the features you need to develop and 
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110331/bb360025/attachment.html>


More information about the Snort-sigs mailing list