Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Malicious ZenCart redirect sigs

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 17 Feb 2014 16:31:02 -0700
Slow Monday:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INDICATOR-COMPROMISED 
ZenCart Malicious Redirect detected"; flow:to_server,established; 
file_data; content:"Set-Cookie|3A 20|USERID=shine-check|3b|"; 
http_header; fast_pattern:only; metadata:policy balanced-ips drop, 
policy security-ips drop, service http; 
reference:url,blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html; 
classtype:trojan-activity; sid:10000127; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INDICATOR-COMPROMISED 
Compromised ZenCart detected"; flow:to_server,established; file_data; 
content:"Set-Cookie|3A 20|USERID=twotime|3b|"; http_header; 
fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html; 
classtype:trojan-activity; sid:10000128; rev:1;)

James

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: