[Snort-sigs] Low hanging fruit - inforet

James Lay jlay at ...3266...
Wed Aug 29 15:27:06 EDT 2012


Not sure where I have this in my archive of bad pcaps, but inforet.html 
sure seems familiar:

http://urlquery.net/report.php?id=148265
http://jsunpack.jeek.org/dec/go?report=a70cd8d80447f3c493b1cb6f8f0706536a84d068
https://www.mywot.com/en/forum/25940--rejected-tax-transaction-rejrev-html-malware


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY 
INDICATOR-COMPROMISE /inforet.html HTTP request in URI"; 
flow:established,to_server; content:"/inforet.html"; 
http_uri;fast_pattern:only; sid:x; rev:1;)

from the mywot site:
(CAREFUL THESE ARE ACTIVE!)

geoprovi.es/inforet.html
jyyswh.com/inforet.html
mpmusic.es/inforet.html

Pretty sure these will change to something else over time.  Maybe 
useful, maybe not :)

James




More information about the Snort-sigs mailing list