[Emerging-Sigs] some asprox rules
Jack Pepper
pepperjack at afferentsecurity.com
Wed Jul 9 09:09:33 EDT 2008
I found an infected web site, and after being informed by their tech
staff that, "our site is not infected, and you are mistaken", I
decided we needed these rules:
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
CURRENT_EVENTS Crap!! My Server is Spreading ASPROX - ngg.js distro";
content:"<script src=http\://"; within: 15; content:"ngg.js>";
classtype:trojan-activity; sid:1010101; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
CURRENT_EVENTS Crap!! My Server is Spreading ASPROX - b.js distro";
content:"<script src=http\://"; within: 15; content:"b.js>";
classtype:trojan-activity; sid:1010102; rev:1;)
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list