Snort mailing list archives
Re: vBulletin 4.x and 5.x exploit in the wild
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 9 Oct 2013 20:30:26 -0400
Thanks James. Sent from my iPhone
On Oct 9, 2013, at 12:45 PM, James Lay <jlay () slave-tothe-box net> wrote: Bummer: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER vBulletin upgrade.php exploit"; flow:to_server, established; content:"POST"; http_method; content:"install|2f|upgrade.php"; http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http, ruleset community; reference:url,www.net-security.org/secworld.php?id=15743; classtype:trojan-activity; sid:10000101; rev:1;) not adding the / at the front allows it to catch both 4.x and 5.x version. Thanks all! James ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- vBulletin 4.x and 5.x exploit in the wild James Lay (Oct 09)
- Re: vBulletin 4.x and 5.x exploit in the wild Joel Esler (Oct 09)