[Snort-sigs] Quick rebots sig

James Lay jlay at ...3266...
Mon Aug 27 11:15:58 EDT 2012


On 2012-08-27 09:08, lists at ...3397... wrote:
> Hey James, looking at the reference these aren't HREFs, they're 
> script tags,
> which tends to make more sense with what one would expect on an owned
> website.
> Would this be more valuable as:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY
> INDICATOR-COMPROMISE /rebots.php HTTP request in URI";
> flow:established,to_server; content:"/rebots.php"; http_uri;
> fast_pattern:only;
> reference:url,http://labs.sucuri.net/db/malware/mwjs-include-rebots;
> sid:x; rev:1;)
>
> Cheers,
> Nathan
>


Thanks Nathan...as usual you're cleaning up my messes...the above looks 
much better than mine :)

James




More information about the Snort-sigs mailing list