[Snort-sigs] Low hanging fruit #2

James Lay jlay at ...3266...
Wed Sep 12 17:58:57 EDT 2012


Yea...that was a good read on the Apache Mod issue:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE Page with YWZmaWQ9MDUyODg"; flow:to_client, 
established; file_data; content:"YWZmaWQ9MDUyODg"; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
classtype:bad-unknown; sid:10000026; 
reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; 
rev:1;)

http://blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html
http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/

Certain this rule will be exciting until they change their ways.  
Hopefully I've got the flow right..don't have a pcap to bounce it off 
of.

James




More information about the Snort-sigs mailing list