[Snort-sigs] Quick rebots sig
jesler at ...435...
Mon Aug 27 11:27:28 EDT 2012
On Aug 27, 2012, at 11:15 AM, James Lay <jlay at ...3266...> wrote:
> On 2012-08-27 09:08, lists at ...3397... wrote:
>> Hey James, looking at the reference these aren't HREFs, they're
>> script tags,
>> which tends to make more sense with what one would expect on an owned
>> Would this be more valuable as:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY
>> INDICATOR-COMPROMISE /rebots.php HTTP request in URI";
>> flow:established,to_server; content:"/rebots.php"; http_uri;
>> sid:x; rev:1;)
> Thanks Nathan...as usual you're cleaning up my messes...the above looks
> much better than mine :)
We wouldn't put this in INDICATOR-COMPROMISE. I'd probably put this in SPECIFIC-THREATS for now. INDICATOR-COMPROMISE is saved for things things that indicate there is a successful compromise.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:1;)
I've added it for release.
Also, because I know Nathan will ask -- The Community ruleset tag is coming, it just got pushed back with the massive ClamAV transition that happened last quarter. Thanks!
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs