Re: PHP config and more

[Joel Esler <jesler () sourcefire com>]

On May 7, 2013, at 3:32 PM, James Lay <jlay () slave-tothe-box net> wrote:

> Yea kinda doubt anyone is downloading config.inc.php in an iframe:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"INDICATOR-COMPROMISED config.inc.php in iframe"; 
> flow:from_server,established; file_data; content:"<iframe"; 
> content:"config.inc.php"; within:50; fast_pattern; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> reference:url,http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html;
>  
> classtype:trojan-activity; sid:10000051; rev:1;)


James,

With some minor modifications, this looks pretty good.

I'll get it in.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!