[Snort-sigs] PHP config and more

James Lay jlay at ...3266...
Wed May 8 09:49:04 EDT 2013


On 2013-05-07 14:15, Joel Esler wrote:
> On May 7, 2013, at 3:32 PM, James Lay <jlay at ...3266... [2]>
> wrote:
>
>> Yea kinda doubt anyone is downloading config.inc.php in an iframe:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"INDICATOR-COMPROMISED config.inc.php in iframe";
>> flow:from_server,established; file_data; content:"<iframe";
>> content:"config.inc.php"; within:50; fast_pattern; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>>
> 
> reference:url,http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html
>> [1];
>> classtype:trojan-activity; sid:10000051; rev:1;)
>
> James,
>
> With some minor modifications, this looks pretty good.
>
> I'll get it in.
>
> --
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>


Thanks Joel!

James




More information about the Snort-sigs mailing list