[Snort-sigs] Offer a new sig for detecting Phoenix Exploit Kit

rmkml rmkml at ...4129...
Tue Sep 6 15:12:15 EDT 2016


The http://etplc.org open source project offer a new sig for detecting Phoenix Exploit Kit:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phoenix Exploit Kit geoip.php bdr param RCE attempt";
flow:to_server,established; content:"/geoip.php?bdr="; nocase; http_uri; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb;
classtype:web-application-activity; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.


More information about the Snort-sigs mailing list