Home page logo

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 7 May 2013 14:23:25 -0400

Okay, so to go back to your original intention, it's probably a good idea to have one with a reverse direction from 
what I shipped?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from 
compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-content/"; http_uri; 
content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; metadata:policy security-ips drop, ruleset 
community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; 
classtype:trojan-activity; sid:26576; rev:1;)

(being what I shipped)

On May 7, 2013, at 2:12 PM, Nathan <nathan () packetmail net> wrote:

Seems it was a good thing I used a disclaimer in the original rule, its an http request to the server and I fubared 
the direction... Sorry for the confusion

On May 7, 2013, at 11:34, Joel Esler <jesler () sourcefire com> wrote:


Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]