[Snort-sigs] [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)

Community Proposed lists at ...3397...
Tue May 7 16:47:39 EDT 2013


Perfect, thanks Joel.  I hit the sauce too hard on Friday evidently when I
crafted the sig.  Sorry for the confusion guys.

On Tue, 7 May 2013 14:23:25 -0400 Joel Esler <jesler at ...435...> wrote

> Okay, so to go back to your original intention, it's probably a good idea to
> have one with a reverse direction from what I shipped? 
>
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Potential hostile executable served from compromised or malicious WordPress
> site"; flow:to_server,established; content:"/wp-content/"; http_uri;
> content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U";
> metadata:policy security-ips drop, ruleset community, service http;
> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> irefef-malware; classtype:trojan-activity; sid:26576; rev:1;) 
>
> 
> (being what I shipped)
> 
> 
> On May 7, 2013, at 2:12 PM, Nathan <nathan at ...3397...> wrote:
> 
> > Seems it was a good thing I used a disclaimer in the original rule, its an
> > http request to the server and I fubared the direction... Sorry for the
> > confusion 
> > On May 7, 2013, at 11:34, Joel Esler <jesler at ...435...> wrote:
> > 
> >> yes?
> 
> 
> -----------------------------------------------------------------------------
> - Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and 
> their applications. This 200-page book is written by three acclaimed 
> leaders in the field. The early access version is available now. 
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list