Home page logo
/

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Unusually small php puts
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 16 May 2013 14:37:10 -0400

I'm going to test it in our test systems James, we'll see how it goes.


On May 15, 2013, at 1:08 PM, James Lay <jlay () slave-tothe-box net> wrote:

Last month (the 19th I think) I attending an all day security conference...it was pretty good.  One of the tell tale 
signs of C2 traffic was small php PUT's (according to one presenter), so here's a sig for that:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Unusually small php PUT"; 
flow:to_server,established; content:"PUT"; http_method; http_uri; urilen:<10; classtype:misc-activity; sid:10000059; 
rev:1)

Might be useful, might not.  I'm embarrassed that it took me almost a month to get to my notes 8-|

James
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault