[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Signatures on Malware E-mail and XSS Attacks
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2008-10-17 20:05:21
Message-ID: 48F8F001.1050004 () jonkmans ! com
[Download RAW message or body]
Good sigs Veerendra. The ecard one is great, it should apply to many
attacks for a very long time.
Posting now, thanks
Matt
Veerendra GG wrote:
> # 14/10/2008 Microsoft PicturePusher XSS
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft
> PicturePusher ActiveX Cross Site File Upload Attack"; content:"clsid";
> nocase; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase;
> pcre:"/http\://.*?[\w]{4,}=1/i"; nocase;
> pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; nocase;
> reference:url,milw0rm.com/exploits/6699;
> classtype:web-application-attack; sid:9031; rev:1;)
>
> # 16/10/2008 eCard Email Malware Attack
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"eCard email malware
> attack - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\:
> You have received an eCard"; nocase; content:"e-card.zip"; nocase;
> classtype:trojan-activity;
> reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/;
> sid:9032; rev:1;)
>
>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic