From pepperjack at afferentsecurity.com Mon Sep 1 09:31:36 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Mon, 01 Sep 2008 08:31:36 -0500 Subject: [Emerging-Sigs] rule for successful danmec In-Reply-To: <48BB3E7A.608@jonkmans.com> References: <20080829114710.va6805h8xwkwoosc@mail.afferentsecurity.com> <48BB3E7A.608@jonkmans.com> Message-ID: <20080901083136.ed0e001auckk0oco@mail.afferentsecurity.com> Quoting Matt Jonkman : > Good idea, seen a lot of these. Will throw it into current events for a bit. > I would expect it to last no more than a week. I will keep monitoring for a change. A writer on another forum pointed out to me that this is not danmec, but is a "chinese malware" attack that ripped off the danmec code. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From pepperjack at afferentsecurity.com Mon Sep 1 10:17:04 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Mon, 01 Sep 2008 09:17:04 -0500 Subject: [Emerging-Sigs] updates for danmec rules Message-ID: <20080901091704.rea15865w8ogo4cw@mail.afferentsecurity.com> Joe Stewart has pointed out that the only filenames active on danmec are: /b.js /script.js /ngg.js /add.js /lle.js /portal.js /che.js /js.js /fgg.js So lets change 2008508: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site"; content:"