[Snort-sigs] [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)

Joel Esler jesler at ...435...
Tue May 7 14:23:25 EDT 2013


Okay, so to go back to your original intention, it's probably a good idea to have one with a reverse direction from what I shipped?


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; metadata:policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; classtype:trojan-activity; sid:26576; rev:1;)


(being what I shipped)


On May 7, 2013, at 2:12 PM, Nathan <nathan at ...3397...> wrote:

> Seems it was a good thing I used a disclaimer in the original rule, its an http request to the server and I fubared the direction... Sorry for the confusion
> 
> On May 7, 2013, at 11:34, Joel Esler <jesler at ...435...> wrote:
> 
>> yes?





More information about the Snort-sigs mailing list