[Snort-sigs] Quick rule optimize request
jlay at ...3266...
Tue Jul 17 12:07:22 EDT 2012
Here's the rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"INDICATOR-COMPROMISE possible WordPress head injection";
content:"add_action"; content:"wp_head"; content:"check_wp_head_load";
file_data; fast_pattern; classtype:bad-unknown; sid:10000015; reference:
Chances are bad guys will change the function name, but other then that
we'll see. This should match:
@add_action("wp_head", "check_wp_head_load", mt_rand(1, 6));
But I don't have any packet caps to test this out on. Anyone have any
input on this? Add some within entries perhaps? Anyone have a pcap of
this? Thanks all.
More information about the Snort-sigs