[Emerging-Sigs] Detecting web based exploit packs - Armitage

RPG inittab at jtan.com
Thu Jan 15 15:47:02 EST 2009


Good stuff!  The first sig "/exe.php"  should pick up a lot more junk 
than just Armitage me thinks.  May get some falses on that one too.


dxp wrote:
> This is the first set in a serires on exploit packs.  Will post more soon.
> Some background on Armitage: 
> http://dxp2532.blogspot.com/2009/01/armitage-10.html
>
>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB
>     Armitage Loader Request"; flow:established,to_server; content:"GET
>     "; depth:4; uricontent:"/exe.php"; sid:XXXXXX; rev:1;)
>
>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB
>     Armitage Loader Check-in"; flow:established,to_server;
>     content:"GET "; depth:4; uricontent:"/lds.php"; sid:XXXXXX; rev:1;)
>
>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB
>     Armitage Exploit Request"; flow:established,to_server;
>     content:"GET "; depth:4; uricontent:"/bof.php"; sid:XXXXXX; rev:1;)
>
>
> -  
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>         
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>   



More information about the Emerging-sigs mailing list