[Emerging-Sigs] Detecting web based exploit packs - Armitage

dxp dxp2532 at gmail.com
Thu Jan 15 15:02:54 EST 2009


This is the first set in a serires on exploit packs.  Will post more
soon.
Some background on Armitage:
http://dxp2532.blogspot.com/2009/01/armitage-10.html


        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
        WEB Armitage Loader Request"; flow:established,to_server;
        content:"GET "; depth:4; uricontent:"/exe.php"; sid:XXXXXX;
        rev:1;)
        
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
        WEB Armitage Loader Check-in"; flow:established,to_server;
        content:"GET "; depth:4; uricontent:"/lds.php"; sid:XXXXXX;
        rev:1;)
        
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
        WEB Armitage Exploit Request"; flow:established,to_server;
        content:"GET "; depth:4; uricontent:"/bof.php"; sid:XXXXXX;
        rev:1;)


-  

-=[ dxp ]=-
0xA3F3C6E3


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090115/40f59bb0/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090115/40f59bb0/attachment.bin


More information about the Emerging-sigs mailing list