[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] duplicates rules
From: Darien Huss <dhuss () emergingthreats ! net>
Date: 2014-09-24 12:28:08
Message-ID: CAKcCgkWrMSkqPKu99toDmHkTo70Jb=G0zW85UTLYeSCQdaWdSg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks again, we'll get this fixed up today.
Regards,
Darien
On Tue, Sep 23, 2014 at 6:51 PM, Russell Fulton <r.fulton@auckland.ac.nz>
wrote:
> These versions are from the wiki.
>
> alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla
> Scanner"; flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT
> for JCE)"; http_header; classtype:web-application-attack; sid:2016032;
> rev:3;)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN JCE
> Joomla Extension User-Agent (BOT)"; flow:to_server,established;
> content:"User-Agent|3a| BOT/0.1 (BOT for JCE)|0d 0a|"; http_header;
> reference:url,exploit-db.com/exploits/17734/; reference:url,
> blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html;
> classtype:attempted-recon; sid:2018327; rev:2;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Thanks again, we'll get this fixed up \
today.<br><br>Regards,<br>Darien<br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Sep 23, 2014 at 6:51 PM, Russell Fulton <span \
dir="ltr"><<a href="mailto:r.fulton@auckland.ac.nz" \
target="_blank">r.fulton@auckland.ac.nz</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">These versions are from the wiki.<br> <br>
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla \
Scanner"; flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT \
for JCE)"; http_header; classtype:web-application-attack; sid:2016032; \
rev:3;)<br> <br>
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN JCE \
Joomla Extension User-Agent (BOT)"; flow:to_server,established; \
content:"User-Agent|3a| BOT/0.1 (BOT for JCE)|0d 0a|"; http_header; \
reference:url,<a href="http://exploit-db.com/exploits/17734/" \
target="_blank">exploit-db.com/exploits/17734/</a>; reference:url,<a \
href="http://blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html" \
target="_blank">blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html</a>; \
classtype:attempted-recon; sid:2018327; rev:2;)<br> \
_______________________________________________<br> Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
</blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic