Snort mailing list archives
Re: Quick and dirty
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Jan 2013 12:53:25 -0700
On 2013-01-30 12:46, Joel Esler wrote:
Thanks James. Do you have a pcap for this? On Jan 30, 2013, at 11:20 AM, James Lay <jlay () slave-tothe-box net> wrote:Matches latest malicious email campaign. Clever person could mod this to detect outbound http, but I like to see it earlier than that: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS Blackhole exploit kit possible email track.php?fdic"; flow:to_server,established; content:"href="; content:"http|3a 2f 2f|"; content:"track.php?fdic"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10000039; rev:5;)
Sent offlist..thanks Joel! James ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty rmkml (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty Joel Esler (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty lists () packetmail net (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty James Lay (Jan 30)
- Re: Quick and dirty rmkml (Jan 30)