[Snort-sigs] Quick rebots sig

lists at ...3397... lists at ...3397...
Mon Aug 27 11:08:40 EDT 2012


Hey James, looking at the reference these aren't HREFs, they're script tags,
which tends to make more sense with what one would expect on an owned website.
Would this be more valuable as:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY
INDICATOR-COMPROMISE /rebots.php HTTP request in URI";
flow:established,to_server; content:"/rebots.php"; http_uri; fast_pattern:only;
reference:url,http://labs.sucuri.net/db/malware/mwjs-include-rebots; sid:x; rev:1;)

Cheers,
Nathan

On 08/27/12 10:01, Joel Esler wrote:
> Thanks James.
> 
> Let me take a look!
> 
> On Aug 24, 2012, at 5:40 PM, James Lay <jlay at ...3266...> wrote:
> 
>> Eh...quick and dirty:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
>> (msg:"INDICATOR-COMPROMISE possible rebots site compromise"; 
>> flow:to_server, established; content:"<a href=|22|http|3a|"; 
>> content:"rebots.php"; fast_pattern; within:30; classtype:bad-unknown; 
>> sid:10000020; 
>> reference:url,http://labs.sucuri.net/db/malware/mwjs-include-rebots; 
>> rev:1;)
>>
>> http://blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html
>> http://labs.sucuri.net/db/malware/mwjs-include-rebots
>>
>> James
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 




More information about the Snort-sigs mailing list