Snort mailing list archives
Re: [Snort-sigs] HideMeBetter – SPAM injection Variant
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Aug 2013 10:15:15 -0400
So Paul, Sorry for taking a while to get back to you. A couple comments here. #1 -- You only need file_data once. It comes before the content matches in the file_data buffer. which you used correctly, but you only need it once in the rule if you aren't backing out of that buffer at anytime (which you aren't in this rule) #2 -- You forgot a semi colon behind the big content match, no biggie. #3 -- Don't forget to remove "http://" in the url reference. Otherwise Committed this morning. On Thu, Aug 1, 2013 at 4:21 AM, Paul Bottomley <Paul.Bottomley () betfair com>wrote:
Here we go..**** ** ** alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; file_data; content:"if(document|2e|getElementById(|22|HideMeBetter|22|)|20 21 3d 20|null)" metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url, http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:xxxxx; rev:1;)**** * * ** ** ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- HideMeBetter – SPAM injection Variant Paul Bottomley (Aug 01)
- Re: [Snort-sigs] HideMeBetter – SPAM injection Variant Joel Esler (Aug 05)