Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Offer a new sig for detecting Phoenix Exploit Kit

From: rmkml <rmkml () ligfy org>
Date: Tue, 6 Sep 2016 21:12:15 +0200 (CEST)
Hi,

The http://etplc.org open source project offer a new sig for detecting Phoenix Exploit Kit:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phoenix Exploit Kit geoip.php bdr param RCE 
attempt";
flow:to_server,established; content:"/geoip.php?bdr="; nocase; http_uri; 
reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb;
classtype:web-application-activity; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.

Regards
@Rmkml

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: