Snort mailing list archives
Malicious ZenCart redirect sigs
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 17 Feb 2014 16:31:02 -0700
Slow Monday: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INDICATOR-COMPROMISED ZenCart Malicious Redirect detected"; flow:to_server,established; file_data; content:"Set-Cookie|3A 20|USERID=shine-check|3b|"; http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html; classtype:trojan-activity; sid:10000127; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INDICATOR-COMPROMISED Compromised ZenCart detected"; flow:to_server,established; file_data; content:"Set-Cookie|3A 20|USERID=twotime|3b|"; http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html; classtype:trojan-activity; sid:10000128; rev:1;) James ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Malicious ZenCart redirect sigs James Lay (Feb 17)
- Re: Malicious ZenCart redirect sigs Carlos Pacho (Feb 18)