Home page logo
/

snort logo Snort mailing list archives

Re: PHP config and more
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 7 May 2013 16:15:16 -0400

On May 7, 2013, at 3:32 PM, James Lay <jlay () slave-tothe-box net> wrote:

Yea kinda doubt anyone is downloading config.inc.php in an iframe:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISED config.inc.php in iframe"; 
flow:from_server,established; file_data; content:"<iframe"; 
content:"config.inc.php"; within:50; fast_pattern; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html;
 
classtype:trojan-activity; sid:10000051; rev:1;)


James,

With some minor modifications, this looks pretty good.

I'll get it in.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]