[Emerging-Sigs] some asprox rules

Thu Jul 10 06:29:00 EDT 2008

not sure this went out the first time...

would something like this work, since not many  sites have no legit
iframes pointing to a  .mobi or .cn domain:

 alert tcp $HOME_NET $HTTP_PORTS  -> $EXTERNAL_NET any (msg:"ET
CURRENT_EVENTS Crap!! My Server is Spreading ASPROX ";
content:"iframe"; within: 15; content:".cn>";
classtype:trojan-activity; sid:1010101; rev:1;)

 alert tcp $HOME_NET $HTTP_PORTS  -> $EXTERNAL_NET any (msg:"ET
 CURRENT_EVENTS Crap!! My Server is Spreading ASPROX ";
 content:"iframe"; within: 15; content:".mobi>";
 classtype:trojan-activity; sid:1010101; rev:1;)

Also,  would something like this also work, assuming the site has no iframes:

 alert tcp $HOME_NET $HTTP_PORTS  -> $EXTERNAL_NET any
  (msg:"ET CURRENT_EVENTS Crap!! My Server has an IFRAME";
 content:"<script src=http\://"; within: 15; content:"iframe>";
 classtype:trojan-activity; sid:1010103; rev:1;)

 (maybe best to leave that one commented out)
>
>
> On Wed, Jul 9, 2008 at 3:10 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>> I like those...   great idea Jack!
>>
>> Posting now (May adjust the msg a bit :) )
>>
>> Matt
>>
>> Jack Pepper wrote:
>>> I found an infected web site, and after being informed by their tech
>>> staff that, "our site is not infected, and you are mistaken", I
>>> decided we needed these rules:
>>>
>>> alert tcp $HOME_NET $HTTP_PORTS  -> $EXTERNAL_NET any (msg:"ET
>>> CURRENT_EVENTS Crap!! My Server is Spreading ASPROX - ngg.js distro";
>>> content:"<script src=http\://"; within: 15; content:"ngg.js>";
>>> classtype:trojan-activity; sid:1010101; rev:1;)
>>>
>>> alert tcp $HOME_NET $HTTP_PORTS  -> $EXTERNAL_NET any (msg:"ET
>>> CURRENT_EVENTS Crap!! My Server is Spreading ASPROX - b.js distro";
>>> content:"<script src=http\://"; within: 15; content:"b.js>";
>>> classtype:trojan-activity; sid:1010102; rev:1;)
>>>
>>> jp
>>>
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>