[Snort-sigs] [Emerging-Sigs] Unusually small php puts

Joel Esler jesler at ...435...
Mon Jun 10 08:25:24 EDT 2013


James,

I ran this in our test systems for a couple weeks, and while it did alert, it didn't alert on anything that wasn't benign traffic.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On May 16, 2013, at 2:37 PM, Joel Esler <jesler at ...435...> wrote:

> I'm going to test it in our test systems James, we'll see how it goes.
> 
> 
> On May 15, 2013, at 1:08 PM, James Lay <jlay at ...3266...> wrote:
> 
>> Last month (the 19th I think) I attending an all day security conference...it was pretty good.  One of the tell tale signs of C2 traffic was small php PUT's (according to one presenter), so here's a sig for that:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Unusually small php PUT"; flow:to_server,established; content:"PUT"; http_method; http_uri; urilen:<10; classtype:misc-activity; sid:10000059; rev:1)
>> 
>> Might be useful, might not.  I'm embarrassed that it took me almost a month to get to my notes 8-|
>> 
>> James
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...3694...
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>> The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130610/e62eddc8/attachment.html>


More information about the Snort-sigs mailing list