Snort mailing list archives
Re: Has a rule been created for this?
From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Tue, 13 Apr 2010 11:58:38 -0500
AFAIK Snort doesn't decode multipart/form-data so I don't think you can do something like: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Suspicious PHP File Upload, L0oZuRpAnTz"; flow:established,to_server; content:"POST"; http_method; content:"<?php"; nocase; content:"/*L0oZuRpAnTz*/"; content:"array(\"DuMb\",\"DuMbEr\",\"DuMbEsT\")\;"; classtype:bad-unknown; reference:url,forums.devnetwork.net/viewtopic.php%3Ff%3D34%26t%3D88942; sid:2010xxx; rev:1;) Be curious to see what the SF folks do or come up with. -evilghost Adam Richards wrote:
Correct. Adam Richards,CISSP | CEH -----Original Message----- From: evilghost () packetmail net [mailto:evilghost () packetmail net] Sent: Tuesday, April 13, 2010 11:40 AM To: Adam Richards Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Has a rule been created for this? PHP is server-side, what behavior were you wanting to alert on specifically? Best I can figure you want to detect on upload of this file to an HTTPd, correct? -evilghost Adam Richards wrote:I have been seeing this obfuscated php file around a lot lately and I wasn't sure if there was a rule yet for it. There are a few unique strings in it that we can look for.http://webcache.googleusercontent.com/search?q=cache:MyKUomVp7rQJ:forums .devnetwork.net/viewtopic.php%3Ff%3D34%26t%3D88942+L0oZuRpAnTz&cd=1&hl=en&ct=clnk&gl=us Adam Richards,CISSP | CEH------------------------------------------------------------------------ ------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Has a rule been created for this? Adam Richards (Apr 13)
- Re: Has a rule been created for this? evilghost () packetmail net (Apr 13)
- Re: Has a rule been created for this? Adam Richards (Apr 13)
- Re: Has a rule been created for this? evilghost () packetmail net (Apr 13)
- Re: Has a rule been created for this? Adam Richards (Apr 13)
- Re: Has a rule been created for this? evilghost () packetmail net (Apr 13)