Home page logo

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Unusually small php puts
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 16 May 2013 14:37:10 -0400

I'm going to test it in our test systems James, we'll see how it goes.

On May 15, 2013, at 1:08 PM, James Lay <jlay () slave-tothe-box net> wrote:

Last month (the 19th I think) I attending an all day security conference...it was pretty good.  One of the tell tale 
signs of C2 traffic was small php PUT's (according to one presenter), so here's a sig for that:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Unusually small php PUT"; 
flow:to_server,established; content:"PUT"; http_method; http_uri; urilen:<10; classtype:misc-activity; sid:10000059; 

Might be useful, might not.  I'm embarrassed that it took me almost a month to get to my notes 8-|

Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!

AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]