[Snort-sigs] Multiple signatures 023

Matthew Mickel mmickel at sourcefire.com
Tue Feb 12 08:33:19 EST 2019


Hi, Yaser-

Thanks for your submissions.  We will test the rules and get back to you once we’ve finished.  Any PCAPs that you can provide are greatly appreciated.  Thank you!  Best,

Matt Mickel

> On Feb 12, 2019, at 7:07 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> 
> # --------------------
> # Title: Threat Actor “Magecart”: Coming to an eCommerce Store Near You
> # Reference: https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/ <https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/>
> # Tests: NA
> # Yara: NA
> # ClamAV: NA
> # Hashes: NA
> # Notes: Not sure if this is "good" detection, too many assumptions.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/customer_notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000514; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/appointment/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000515; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/AvisVerifies/dialog/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000516; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/pdffree/Product/pdfsave/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000517; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/ajax/Showroom/submit/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000518; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/netgocust/Gwishlist/updategwishlist/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000519; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/CustomGrid/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000520; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/simplebundle/Cart/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000521; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/layaway/view/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000522; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/multidealpro/index/edit/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000523; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/credit/withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:800024; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/Blcg_Column_Renderer_index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000525; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/tabshome/index/ajax/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000526; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/Blcg/Column/Renderer/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000527; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000528; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/aheadmetrics/auth/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000529; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/gwishlist/Gwishlist/updategwishlist/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000530; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/credit_withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000531; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000532; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/emaildirect/abandoned/restore/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000533; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000534; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/bssreorderproduct/list/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000535; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/advancedreports/chart/tunnel/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000536; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/minifilterproducts/index/ajax/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000537; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/ajaxproducts/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000538; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/qquoteadv/download/downloadCustomOption/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000539; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/freegift/cart/gurlgift/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000540; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/madecache/varnish/esi/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000541; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/customer/notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000542; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/prescription/Prescription/amendQuoteItemQty/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000543; rev:1;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20190212/79eb08d6/attachment-0001.html>


More information about the Snort-sigs mailing list