[Snort-sigs] Quick rebots sig

James Lay jlay at ...3266...
Fri Aug 24 17:40:48 EDT 2012


Eh...quick and dirty:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE possible rebots site compromise"; 
flow:to_server, established; content:"<a href=|22|http|3a|"; 
content:"rebots.php"; fast_pattern; within:30; classtype:bad-unknown; 
sid:10000020; 
reference:url,http://labs.sucuri.net/db/malware/mwjs-include-rebots; 
rev:1;)

http://blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html
http://labs.sucuri.net/db/malware/mwjs-include-rebots

James




More information about the Snort-sigs mailing list