[Snort-sigs] vBulletin 4.x and 5.x exploit in the wild

James Lay jlay at ...3266...
Wed Oct 9 12:45:43 EDT 2013


Bummer:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER vBulletin upgrade.php exploit"; flow:to_server, 
established; content:"POST"; http_method; 
content:"install|2f|upgrade.php"; http_uri; fast_pattern:only; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http, ruleset community; 
reference:url,www.net-security.org/secworld.php?id=15743; 
classtype:trojan-activity; sid:10000101; rev:1;)

not adding the / at the front allows it to catch both 4.x and 5.x 
version.  Thanks all!

James




More information about the Snort-sigs mailing list