Snorting the Web Farm

Jun 10th

Posted in Development

1 comment

Here are some rules for you snort freaks to chew on that I have found useful in web heavy environments.

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE x2300 phpshell detected"; content:"Locus7Shell"; nocase; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300010; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE RFI Scanner detected"; content:"RFI Scanner"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300020; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE lila.jpg phpshell detected"; content:"CMD PHP"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300030; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE ALBANIA id.php detected"; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300040; rev:2;)

alert tcp More >
,

BOGON Filtering, Update It

Apr 17th

Posted in Development

One of the features used by APF to prevent address spoofing is that it filters reserved IP address space, also known as BOGON filtering. This is an otherwise very reliable method to keep out random unallocated spoofed addresses from injecting traffic towards your server, assuming of course the list is updated regularly.

We decided a few months ago that we would disable by default all remote features in APF, including the auto updating of the reserved networks file (BOGON filter list), however this was done with one ill-fated consequence… That if you do not turn on the update feature yourself you More >

, ,

“oops” Wrong Server!

Mar 31st

Posted in My Blog

No comments

So this past weekend, I did the unthinkable, I accidentally recycled the wrong dedicated server at work. Usually, this is not much of an issue  (not that I make a habit of it) with the continuous data protection we have implemented at the data center (cdp r1soft) except that the backup server this particular client system was using had suffered a catastrophic raid failure the very night before. We have had raid arrays go bust on us before, typically very rare but it does happen… Obviously this resulted in the clients site and databases getting absolutely toasted and having only More >

, , ,

New Site, At Last!

Mar 1st

Posted in My Blog

It has been on my plate for a long time now to redo the R-fx Networks site, although this process began some years ago with a few incarnations of new sites developing behind the scenes, none ever made it into production. In the end I drew the conclusion that sometimes simpler is better, so here we have it – the new R-fx Networks site – devoted to the projects and my personal work as a whole.

Where I want to go with this new site is explained a bit in the about us section, so head on over there if you have More >

« First...«23456