Snort mailing list archives
Quick and dirty
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Jan 2013 09:20:07 -0700
Matches latest malicious email campaign. Clever person could mod this to detect outbound http, but I like to see it earlier than that: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS Blackhole exploit kit possible email track.php?fdic"; flow:to_server,established; content:"href="; content:"http|3a 2f 2f|"; content:"track.php?fdic"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10000039; rev:5;) Email header snippet: Received: from (192.168.1.184) by gregoro.de (82.77.113.102) with Microsoft SMTP Server id 8.0.685.24; Wed, 30 Jan 2013 16:18:01 +0200 Message-ID: <510929DC.704090 () gregoro de> Date: Wed, 30 Jan 2013 16:18:01 +0200 From: =?koi8-r?B?IvDB18XMLvHLz9fMxddAZmRpYy5nb3Yi?= .<cunningham () vlcreative com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6 MIME-Version: 1.0 To: <redacted> Subject: You are required to update your security system! James ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty rmkml (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty Joel Esler (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty lists () packetmail net (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty rmkml (Jan 30)