[Emerging-Sigs] Zone-H POST rule (sid: 2001616)

Harley H bobb.harley at gmail.com
Wed Dec 20 08:14:14 HST 2017

  I noticed the Zone-H POST rule (sid: 2001616) has different IPs than what
that website is currently resolving to. Looking at the revision history it
seems the IPs have changed with some regularity.

Also, it might be good to include $HTTP_SERVERS in the source list.

Can I suggest the following (or something similar to it):

alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET 80 (msg:"ET
ATTACK_RESPONSE Zone-H.org defacement notification"; flow:
established,to_server; content:"POST"; http_method; content:"/notify/";
http_uri; pcre:"/\/notify\/(single|mass)$/iU"; content:"defacer|3d|";
http_client_body; depth:8; reference:url,
doc.emergingthreats.net/bin/view/Main/2001616; classtype:trojan-activity;
sid:2001616; rev:14;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171220/7fcf587f/attachment.html>

More information about the Emerging-sigs mailing list