[Snort-sigs] Low hanging fruit #2

Joel Esler jesler at ...435...
Thu Sep 13 12:05:31 EDT 2012


On Sep 13, 2012, at 12:01 PM, James Lay <jlay at ...3266...> wrote:
> On 2012-09-13 09:55, Joel Esler wrote:
>> Thanks James, taking a look.
>> 
>> On Sep 12, 2012, at 5:58 PM, James Lay <jlay at ...3266...> wrote:
>> 
>>> Yea...that was a good read on the Apache Mod issue:
>>> 
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>> (msg:"INDICATOR-COMPROMISE Page with YWZmaWQ9MDUyODg"; flow:to_client,
>>> established; file_data; content:"YWZmaWQ9MDUyODg"; metadata:policy
>>> balanced-ips drop, policy security-ips drop, service http;
>>> classtype:bad-unknown; sid:10000026;
>>> reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html;
>>> rev:1;)
>>> 
>>> http://blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html
>>> http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/
>>> 
>>> Certain this rule will be exciting until they change their ways.
>>> Hopefully I've got the flow right..don't have a pcap to bounce it off
>>> of.
>>> 
>>> James
>>> 
> 
> 
> Thanks Joel,
> 
> Looks like I jumped the gun as sigs 2015649 and 2015698 on the ET side have this.  I'll check ALL the rulesets from now on to make sure I'm not wasting anyone's time.  Happy Thursday :)

Good.  However, to protect all customers, I'm still going to perform the research and write the rules.





More information about the Snort-sigs mailing list