Home page logo

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Linux/CDorked sig
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Fri, 26 Apr 2013 13:03:26 -0500

Thanks James, can probably limit to a-f0-9 on your char class and probably
want a \. match after to ensure it is exactly this and not something like
somethinglongerthan16charsaaaaaaaaa.foo.bar could also anchor the match to
a Location header. Nice sig... Will get something into QA and out today
based on this thanks!



On Fri, Apr 26, 2013 at 12:04 PM, James Lay <jlay () slave-tothe-box net>wrote:


(msg:"INDICATOR-COMPROMISED Linux/CDorked redirect";
flow:from_server,established; file_data; content:"index.php?j=";
http_header; content:"302"; http_stat_code; pcre:"/http\x3a\x2f\x2f[0-9a-*
*z]{16}/m"; metadata:policy balanced-ips drop, policy security-ips drop,
service http; reference:url,http://blog.**sucuri.net/2013/04/apache-**
classtype:trojan-activity; sid:10000049; rev:1;)

Ok Joel....how much cleanup is needed with this ;)

Emerging-sigs mailing list
Emerging-sigs () lists **emergingthreats net<Emerging-sigs () lists emergingthreats net>

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
The ONLY place to get complete premium rulesets for all versions of
Suricata and Snort 2.4.0 through Current!

Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]