#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; nocase; content:!"nextgen-gallery"; nocase; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; classtype:trojan-activity; sid:2008373; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:32 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; content:"/ngg.js"; nocase; http_uri; content:!"nextgen-gallery"; nocase; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:5;)

Added 2011-02-04 17:27:32 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; content:!"nextgen-gallery"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:3;)

Added 2010-05-17 20:46:00 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; content:!"nextgen-gallery"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:3;)

Added 2010-05-17 20:46:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; content:!"nextgen-gallery"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:3;)

Added 2009-06-30 16:30:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; content:!"nextgen-gallery"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:3;)

Added 2009-06-30 16:30:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:2;)

Added 2009-02-06 19:00:54 UTC

Seeing increase in usage of Alex Rabe's NextGen? Gallery (http://alexrabe.boelinger.com/wordpress-plugins/nextgen-gallery) which is also named ngg.js which this rule false positives on because it is only checking for script name. usage is normaly in the path "./plugins/nextgen-gallery/js/ngg.js" for rabe's plugin.

-- FranklinJones - 16 Jun 2009

Dropping this sig, it's past it's useful life. Thanks Franklin!

-- MattJonkman - 16 Jun 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:2;)

Added 2009-02-06 19:00:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; sid:2008373; rev:1;)

Added 2008-07-07 12:35:34 UTC


Topic revision: r3 - 2009-06-16 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats