Snort mailing list archives
Re: PHP config and more
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 7 May 2013 16:15:16 -0400
On May 7, 2013, at 3:32 PM, James Lay <jlay () slave-tothe-box net> wrote:
Yea kinda doubt anyone is downloading config.inc.php in an iframe: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISED config.inc.php in iframe"; flow:from_server,established; file_data; content:"<iframe"; content:"config.inc.php"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:10000051; rev:1;)
James, With some minor modifications, this looks pretty good. I'll get it in. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PHP config and more James Lay (May 07)
- Re: PHP config and more Joel Esler (May 07)
- Re: PHP config and more James Lay (May 08)
- Re: PHP config and more Joel Esler (May 07)