Snort mailing list archives
Re: does snort pick up lthe izamoon attack?
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 31 Mar 2011 18:26:48 -0400
Might be interesting either way. To see if one of your users was browsing to a compromised site, but also interesting to see an outbound one ($HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any) to see if one of your sites was compromised. -- Joel Esler http://blog.snort.org | http://vrt-blog.snort.org Twitter: http://twitter.com/snort On Thursday, March 31, 2011 at 6:17 PM, Alex Kirk wrote:
Detecting compromised pages should be trivial: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS lizamoon.com SQL injection compromised page"; flow:established,to_client; content:"script src=http|3A 2F 2F|lizamoon.com|2F|ur.php"; nocase; classtype:trojan-activity;) We can toss that into an upcoming SEU, given its growing prevalence. On Thu, Mar 31, 2011 at 6:08 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:Hi there As you are all no doubt aware, the "lizamoon" SQL injection attack has already hacked over 380,000 urls. Does anyone know if snort picks it via one of it's existing rules, and if not, has anyone written one? Thanks http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- does snort pick up lthe izamoon attack? Jason Haar (Mar 31)
- Re: does snort pick up lthe izamoon attack? Alex Kirk (Mar 31)
- Re: does snort pick up lthe izamoon attack? Jason Haar (Mar 31)
- Re: does snort pick up lthe izamoon attack? Joel Esler (Mar 31)
- Re: does snort pick up lthe izamoon attack? Alex Kirk (Mar 31)