[Snort-sigs] Quick rebots sig

Joel Esler jesler at ...435...
Mon Aug 27 11:01:51 EDT 2012


Thanks James.

Let me take a look!

On Aug 24, 2012, at 5:40 PM, James Lay <jlay at ...3266...> wrote:

> Eh...quick and dirty:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"INDICATOR-COMPROMISE possible rebots site compromise"; 
> flow:to_server, established; content:"<a href=|22|http|3a|"; 
> content:"rebots.php"; fast_pattern; within:30; classtype:bad-unknown; 
> sid:10000020; 
> reference:url,http://labs.sucuri.net/db/malware/mwjs-include-rebots; 
> rev:1;)
> 
> http://blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html
> http://labs.sucuri.net/db/malware/mwjs-include-rebots
> 
> James
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list