[Snort-sigs] Quick rebots sig

Joel Esler jesler at ...435...
Mon Aug 27 11:27:28 EDT 2012

On Aug 27, 2012, at 11:15 AM, James Lay <jlay at ...3266...> wrote:
> On 2012-08-27 09:08, lists at ...3397... wrote:
>> Hey James, looking at the reference these aren't HREFs, they're 
>> script tags,
>> which tends to make more sense with what one would expect on an owned
>> website.
>> Would this be more valuable as:
>> INDICATOR-COMPROMISE /rebots.php HTTP request in URI";
>> flow:established,to_server; content:"/rebots.php"; http_uri;
>> fast_pattern:only;
>> reference:url,http://labs.sucuri.net/db/malware/mwjs-include-rebots;
>> sid:x; rev:1;)
>> Cheers,
>> Nathan
> Thanks Nathan...as usual you're cleaning up my messes...the above looks 
> much better than mine :)

We wouldn't put this in INDICATOR-COMPROMISE.  I'd probably put this in SPECIFIC-THREATS for now.  INDICATOR-COMPROMISE is saved for things things that indicate there is a successful compromise.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:1;)

I've added it for release.

Also, because I know Nathan will ask -- The Community ruleset tag is coming, it just got pushed back with the massive ClamAV transition that happened last quarter.  Thanks!

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120827/5169ae55/attachment.html>

More information about the Snort-sigs mailing list