[Emerging-Sigs] duplicates rules

Darien Huss dhuss at emergingthreats.net
Wed Sep 24 08:28:08 EDT 2014


Thanks again, we'll get this fixed up today.

Regards,
Darien

On Tue, Sep 23, 2014 at 6:51 PM, Russell Fulton <r.fulton at auckland.ac.nz>
wrote:

> These versions are from the wiki.
>
> alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla
> Scanner"; flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT
> for JCE)"; http_header; classtype:web-application-attack; sid:2016032;
> rev:3;)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN JCE
> Joomla Extension User-Agent (BOT)"; flow:to_server,established;
> content:"User-Agent|3a| BOT/0.1 (BOT for JCE)|0d 0a|"; http_header;
> reference:url,exploit-db.com/exploits/17734/; reference:url,
> blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html;
> classtype:attempted-recon; sid:2018327; rev:2;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140924/fec7b6ad/attachment.html>


More information about the Emerging-sigs mailing list