[Snort-sigs] [Emerging-Sigs] Linux/CDorked sig

Will Metcalf wmetcalf at ...3525...
Fri Apr 26 14:03:26 EDT 2013

Thanks James, can probably limit to a-f0-9 on your char class and probably
want a \. match after to ensure it is exactly this and not something like
somethinglongerthan16charsaaaaaaaaa.foo.bar could also anchor the match to
a Location header. Nice sig... Will get something into QA and out today
based on this thanks!



On Fri, Apr 26, 2013 at 12:04 PM, James Lay <jlay at ...3266...>wrote:

> Enjoy:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-COMPROMISED Linux/CDorked redirect";
> flow:from_server,established; file_data; content:"index.php?j=";
> http_header; content:"302"; http_stat_code; pcre:"/http\x3a\x2f\x2f[0-9a-*
> *z]{16}/m"; metadata:policy balanced-ips drop, policy security-ips drop,
> service http; reference:url,http://blog.**sucuri.net/2013/04/apache-**
> binary-backdoors-on-cpanel-**based-servers.html<http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html>;
> classtype:trojan-activity; sid:10000049; rev:1;)
> Ok Joel....how much cleanup is needed with this ;)
> James
> ______________________________**_________________
> Emerging-sigs mailing list
> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130426/57263ebc/attachment.html>

More information about the Snort-sigs mailing list