Home page logo
/

snort logo Snort mailing list archives

Re: does snort pick up lthe izamoon attack?
From: Alex Kirk <akirk () sourcefire com>
Date: Fri, 1 Apr 2011 14:13:29 -0400

As it turns out, SID 13989 will detect the injection attack.

Our honeypots had noticed some interesting data around that rule, and around
the same time we noticed this posting:

http://stackoverflow.com/questions/3788080/attack-on-asp-site-that-uses-a-sql-server-database

<http://stackoverflow.com/questions/3788080/attack-on-asp-site-that-uses-a-sql-server-database>It's
pretty clear that the query shown on that page is what's being used to
spread this. Additionally, Jason, props to you for recognizing that a rule
should skip the domain, since a link off of the above page shows live
attacks have used distinct domains; the rule you've posted above will work
in the wild.

For what it's worth, SID 13989 is disabled by default, since it was
considered somewhat experimental when it was written. Since it did a pretty
good job of detecting ASPRox, and now this Lizamoon thing, we may consider
putting it into some policies for people - though I'd be curious to get
feedback from the list on that.

On Thu, Mar 31, 2011 at 6:26 PM, Joel Esler <jesler () sourcefire com> wrote:

Might be interesting either way.  To see if one of your users was browsing
to a compromised site, but also interesting to see an outbound one
($HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any) to see if one of your sites was
compromised.



--
Joel Esler
http://blog.snort.org | http://vrt-blog.snort.org
Twitter: http://twitter.com/snort

On Thursday, March 31, 2011 at 6:17 PM, Alex Kirk wrote:

Detecting compromised pages should be trivial:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS
lizamoon.com SQL injection compromised page"; flow:established,to_client;
content:"script src=http|3A 2F 2F|lizamoon.com|2F|ur.php"; nocase;
classtype:trojan-activity;)

We can toss that into an upcoming SEU, given its growing prevalence.

On Thu, Mar 31, 2011 at 6:08 PM, Jason Haar <Jason.Haar () trimble co nz>wrote:

Hi there

As you are all no doubt aware, the "lizamoon" SQL injection attack has
already hacked over 380,000 urls. Does anyone know if snort picks it via
one of it's existing rules, and if not, has anyone written one?

Thanks


http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org




--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

  By Date           By Thread  

Current thread:
  • Re: does snort pick up lthe izamoon attack? Alex Kirk (Apr 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault