Snort mailing list archives

Previous By Date Next
Previous By Thread Next

HideMeBetter – SPAM injection Variant

From: Paul Bottomley <Paul.Bottomley () betfair com>
Date: Thu, 1 Aug 2013 08:21:45 +0000
Here we go..

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HideMeBetter spam injection variant"; 
flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; file_data; 
content:"if(document|2e|getElementById(|22|HideMeBetter|22|)|20 21 3d 20|null)" metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; 
sid:xxxxx; rev:1;)



________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: