[Snort-sigs] PHP config and more

Joel Esler jesler at ...435...
Tue May 7 16:15:16 EDT 2013

On May 7, 2013, at 3:32 PM, James Lay <jlay at ...3266...> wrote:

> Yea kinda doubt anyone is downloading config.inc.php in an iframe:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"INDICATOR-COMPROMISED config.inc.php in iframe"; 
> flow:from_server,established; file_data; content:"<iframe"; 
> content:"config.inc.php"; within:50; fast_pattern; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> reference:url,http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; 
> classtype:trojan-activity; sid:10000051; rev:1;)


With some minor modifications, this looks pretty good.

I'll get it in.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130507/828cebbf/attachment.html>

More information about the Snort-sigs mailing list