Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)

[Joel Esler <jesler () sourcefire com>]

Okay, so to go back to your original intention, it's probably a good idea to have one with a reverse direction from 
what I shipped?


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from 
compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-content/"; http_uri; 
content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; metadata:policy security-ips drop, ruleset 
community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; 
classtype:trojan-activity; sid:26576; rev:1;)


(being what I shipped)


On May 7, 2013, at 2:12 PM, Nathan <nathan () packetmail net> wrote:

> Seems it was a good thing I used a disclaimer in the original rule, its an http request to the server and I fubared 
> the direction... Sorry for the confusion
>
> On May 7, 2013, at 11:34, Joel Esler <jesler () sourcefire com> wrote:
>
> > yes?


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!