##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:3;)

Added 2012-10-18 01:34:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:2;)

Added 2012-10-01 21:48:06 UTC


Topic revision: r1 - 2012-10-18 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats