[Emerging-Sigs] 2025103/ET INFO HTTP POST Request to Suspicious *.cf Domain

Jason Williams jwilliams at emergingthreats.net
Thu Dec 7 08:00:27 HST 2017


Ah, yep, will get that fixed up right away.

Thanks!

Jason

On Thu, Dec 7, 2017 at 11:57 AM, Packet Hack <pckthck at gmail.com> wrote:

> Sig is falsing pretty bad on .cfm pages in the Referer.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO
> HTTP POST Request to Suspicious *.cf Domain";
> flow:established,to_server; content:"POST"; http_method;
> content:".cf"; fast_pattern; http_header; classtype:bad-unknown;
> sid:2025103; rev:2; metadata:created_at 2017_12_03, updated_at
> 2017_12_03;)
>
> Qualify this for the Host: header?
>
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171207/f23937bb/attachment.html>


More information about the Emerging-sigs mailing list