[Snort-sigs] Malicious ZenCart redirect sigs

Carlos Pacho cpacho at ...435...
Tue Feb 18 12:45:22 EST 2014


Hi James,

We will get the rules added to the community ruleset.

Thanks!

Carlos Pacho
Research Engineer, VRT
Sourcefire, now part of Cisco
cpacho at ...435...
Sourcefire.com <http://www.sourcefire.com/>


On Mon, Feb 17, 2014 at 6:31 PM, James Lay <jlay at ...3266...> wrote:

> Slow Monday:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INDICATOR-COMPROMISED
> ZenCart Malicious Redirect detected"; flow:to_server,established;
> file_data; content:"Set-Cookie|3A 20|USERID=shine-check|3b|";
> http_header; fast_pattern:only; metadata:policy balanced-ips drop,
> policy security-ips drop, service http;
> reference:url,
> blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html
> ;
> classtype:trojan-activity; sid:10000127; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INDICATOR-COMPROMISED
> Compromised ZenCart detected"; flow:to_server,established; file_data;
> content:"Set-Cookie|3A 20|USERID=twotime|3b|"; http_header;
> fast_pattern:only; metadata:policy balanced-ips drop, policy
> security-ips drop, service http;
> reference:url,
> blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html
> ;
> classtype:trojan-activity; sid:10000128; rev:1;)
>
> James
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140218/cfe58241/attachment.html>


More information about the Snort-sigs mailing list