[Snort-sigs] PHP config and more
jlay at ...3266...
Wed May 8 09:49:04 EDT 2013
On 2013-05-07 14:15, Joel Esler wrote:
> On May 7, 2013, at 3:32 PM, James Lay <jlay at ...3266... >
>> Yea kinda doubt anyone is downloading config.inc.php in an iframe:
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"INDICATOR-COMPROMISED config.inc.php in iframe";
>> flow:from_server,established; file_data; content:"<iframe";
>> content:"config.inc.php"; within:50; fast_pattern; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>> classtype:trojan-activity; sid:10000051; rev:1;)
> With some minor modifications, this looks pretty good.
> I'll get it in.
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
More information about the Snort-sigs