[Snort-sigs] Low hanging fruit - inforet
jlay at ...3266...
Wed Aug 29 16:55:56 EDT 2012
On 2012-08-29 14:06, Joel Esler wrote:
> Looking into this now. Thanks James.
> On Aug 29, 2012, at 3:47 PM, James Lay <jlay at ...3266...>
>> On 2012-08-29 13:34, lists at ...3397... wrote:
>>> On 08/29/12 14:27, James Lay wrote:
>>>> Pretty sure these will change to something else over time. Maybe
>>>> useful, maybe not :)
>>> This is associated with a Blackhole mailing campaign purporting to
>>> from IRS (typical); I starting seeing this on the 27th, IMHO I'm
>>> sure it's
>>> worth inclusion because it changes on a per-campaign basis
>>> upload.htm, inforet.html, etc etc)
>>> I saw it with hxxp://metrotienda.netai.net/inforet.html
>> Yea...kinda figured but thought I'd chuck it out there :) Thanks
Good deal...thanks Joel. Additionally, threats that usually come in
via email (latest one I saw was the whole eFax thing) I've been taking
and adding to monitor port 25 since that's the initial point of entry.
It's dicey due to the probability of FP's (I've had only a couple) but
is extremely nice to pinpoint the the root cause. Just a couple pennies
More information about the Snort-sigs