alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:2;)

Added 2009-02-06 19:00:54 UTC

Seeing increase in usage of Alex Rabe's NextGen? Gallery (http://alexrabe.boelinger.com/wordpress-plugins/nextgen-gallery) which is also named ngg.js which this rule false positives on because it is only checking for script name. usage is normaly in the path "./plugins/nextgen-gallery/js/ngg.js" for rabe's plugin.

-- FranklinJones - 16 Jun 2009

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:2;)

Added 2009-02-06 19:00:54 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; sid:2008373; rev:1;)

Added 2008-07-07 12:35:34 UTC