[Snort-sigs] Quick rebots sig

James Lay jlay at ...3266...
Mon Aug 27 19:47:53 EDT 2012


On Aug 27, 2012, at 9:27 AM, Joel Esler <jesler at ...435...> wrote:

> On Aug 27, 2012, at 11:15 AM, James Lay <jlay at ...3266...> wrote:
>> On 2012-08-27 09:08, lists at ...3397... wrote:
>>> Hey James, looking at the reference these aren't HREFs, they're 
>>> script tags,
>>> which tends to make more sense with what one would expect on an owned
>>> website.
>>> Would this be more valuable as:
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY
>>> INDICATOR-COMPROMISE /rebots.php HTTP request in URI";
>>> flow:established,to_server; content:"/rebots.php"; http_uri;
>>> fast_pattern:only;
>>> reference:url,http://labs.sucuri.net/db/malware/mwjs-include-rebots;
>>> sid:x; rev:1;)
>>> 
>>> Cheers,
>>> Nathan
>>> 
>> 
>> 
>> Thanks Nathan...as usual you're cleaning up my messes...the above looks 
>> much better than mine :)
> 
> We wouldn't put this in INDICATOR-COMPROMISE.  I'd probably put this in SPECIFIC-THREATS for now.  INDICATOR-COMPROMISE is saved for things things that indicate there is a successful compromise.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:1;)
> 
> I've added it for release.
> 
> Also, because I know Nathan will ask -- The Community ruleset tag is coming, it just got pushed back with the massive ClamAV transition that happened last quarter.  Thanks!
> 
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Thanks gents….and I like your proactiveness Joel :D :D

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120827/b60e06ea/attachment.html>


More information about the Snort-sigs mailing list