[Snort-sigs] PHP config and more

James Lay jlay at ...3266...
Tue May 7 15:32:12 EDT 2013


Yea kinda doubt anyone is downloading config.inc.php in an iframe:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISED config.inc.php in iframe"; 
flow:from_server,established; file_data; content:"<iframe"; 
content:"config.inc.php"; within:50; fast_pattern; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; 
classtype:trojan-activity; sid:10000051; rev:1;)

Could be wrong though ;)  Comments and hints to make this better/useful 
are always welcome.

James




More information about the Snort-sigs mailing list