EmergingThreats> Main Web>2008373 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:2;)

Added 2009-02-06 19:00:54 UTC

Seeing increase in usage of Alex Rabe's NextGen? Gallery (http://alexrabe.boelinger.com/wordpress-plugins/nextgen-gallery) which is also named ngg.js which this rule false positives on because it is only checking for script name. usage is normaly in the path "./plugins/nextgen-gallery/js/ngg.js" for rabe's plugin.

-- FranklinJones - 16 Jun 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:2;)

Added 2009-02-06 19:00:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; sid:2008373; rev:1;)

Added 2008-07-07 12:35:34 UTC


Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2009-06-16 - FranklinJones
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats