We will share the rules,It is the rule of the order to investigate the attack with a flash of vulnerability.
Also it includes false positives, but actually detected.
I hope I can be of any help to you.
***Situation***
Site A →Redirect→Site B Flash Exploit
1.Site A :WordPress Vulnerability Site
2.malicious Site :Redirect
3.Site B :Flash Exploit Site
***Rule***
App Rule:
・Watch-WordPress
directory contains 'wp-content' && risk.info contains 'redirect' && filetype = 'zip','rar','x86 pe','windows_executable','windows executable'
・Watch-Content-Type-Exec
content='application/x-dosexec'
・Watch-Content-Type-SWF_but_php
extension='php' && content='application/x-shockwave-flash' && extension!='swf' && alias.host !='white list'
Report Rule:
alert begins 'Watch-'
