Snort mailing list archives
Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 7 May 2013 14:23:25 -0400
Okay, so to go back to your original intention, it's probably a good idea to have one with a reverse direction from what I shipped? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; metadata:policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; classtype:trojan-activity; sid:26576; rev:1;) (being what I shipped) On May 7, 2013, at 2:12 PM, Nathan <nathan () packetmail net> wrote:
Seems it was a good thing I used a disclaimer in the original rule, its an http request to the server and I fubared the direction... Sorry for the confusion On May 7, 2013, at 11:34, Joel Esler <jesler () sourcefire com> wrote:yes?
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 07)
- Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Nathan (May 09)
- Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 07)
- Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Community Proposed (May 07)
- Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 07)
- Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Nathan (May 09)