[Snort-sigs] Low hanging fruit #2

Joel Esler jesler at ...435...
Thu Sep 13 11:55:39 EDT 2012


Thanks James, taking a look.

On Sep 12, 2012, at 5:58 PM, James Lay <jlay at ...3266...> wrote:

> Yea...that was a good read on the Apache Mod issue:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"INDICATOR-COMPROMISE Page with YWZmaWQ9MDUyODg"; flow:to_client, 
> established; file_data; content:"YWZmaWQ9MDUyODg"; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> classtype:bad-unknown; sid:10000026; 
> reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; 
> rev:1;)
> 
> http://blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html
> http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/
> 
> Certain this rule will be exciting until they change their ways.  
> Hopefully I've got the flow right..don't have a pcap to bounce it off 
> of.
> 
> James
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list