[Snort-sigs] Quick rule optimize request

James Lay jlay at ...3266...
Tue Jul 17 12:07:22 EDT 2012


Hey all,

Here's the rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE possible WordPress head injection"; 
content:"add_action"; content:"wp_head"; content:"check_wp_head_load"; 
file_data; fast_pattern; classtype:bad-unknown; sid:10000015; reference: 
blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head; rev:1;)

Chances are bad guys will change the function name, but other then that 
we'll see.  This should match:

@add_action("wp_head", "check_wp_head_load", mt_rand(1, 6));

But I don't have any packet caps to test this out on.  Anyone have any 
input on this?  Add some within entries perhaps?  Anyone have a pcap of 
this?  Thanks all.

James




More information about the Snort-sigs mailing list