Snort mailing list archives

Re: Quick and dirty

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Jan 2013 12:53:25 -0700

On 2013-01-30 12:46, Joel Esler wrote:

Thanks James.

Do you have a pcap for this?

On Jan 30, 2013, at 11:20 AM, James Lay <jlay () slave-tothe-box net> 
wrote:

Matches latest malicious email campaign.  Clever person could mod 
this
to detect outbound http, but I like to see it earlier than that:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS
Blackhole exploit kit possible email track.php?fdic";
flow:to_server,established; content:"href="; content:"http|3a 2f 
2f|";
content:"track.php?fdic"; within:50; metadata:policy balanced-ips 
drop,
policy security-ips drop, service smtp; classtype:trojan-activity;
sid:10000039; rev:5;)



Sent offlist..thanks Joel!

James


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty rmkml (Jan 30)
  - Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty Joel Esler (Jan 30)
  - Re: Quick and dirty James Lay (Jan 30)
    - Re: Quick and dirty lists () packetmail net (Jan 30)
    - Re: Quick and dirty James Lay (Jan 30)