[Emerging-Sigs] some asprox rules
Matt Jonkman
jonkman at jonkmans.com
Wed Jul 9 15:10:23 EDT 2008
I like those... great idea Jack!
Posting now (May adjust the msg a bit :) )
Matt
Jack Pepper wrote:
> I found an infected web site, and after being informed by their tech
> staff that, "our site is not infected, and you are mistaken", I
> decided we needed these rules:
>
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> CURRENT_EVENTS Crap!! My Server is Spreading ASPROX - ngg.js distro";
> content:"<script src=http\://"; within: 15; content:"ngg.js>";
> classtype:trojan-activity; sid:1010101; rev:1;)
>
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> CURRENT_EVENTS Crap!! My Server is Spreading ASPROX - b.js distro";
> content:"<script src=http\://"; within: 15; content:"b.js>";
> classtype:trojan-activity; sid:1010102; rev:1;)
>
> jp
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list