[Snort-sigs] Unusually small php puts

James Lay jlay at ...3266...
Wed May 15 13:08:50 EDT 2013

Last month (the 19th I think) I attending an all day security 
conference...it was pretty good.  One of the tell tale signs of C2 
traffic was small php PUT's (according to one presenter), so here's a 
sig for that:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Unusually small php PUT"; flow:to_server,established; content:"PUT"; 
http_method; http_uri; urilen:<10; classtype:misc-activity; 
sid:10000059; rev:1)

Might be useful, might not.  I'm embarrassed that it took me almost a 
month to get to my notes 8-|


More information about the Snort-sigs mailing list