[Snort-sigs] Private Exploit Kit

James Lay jlay at ...3266...
Fri Jul 5 13:44:48 EDT 2013


Let's hope this isn't a muffed sig:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Private Exploit Kit outbound traffic"; flow:to_server,established; 
content:"Java|2f|1"; http_header; 
pcre:"/\x2ephp\x3f[a-z]+=[0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://www.malwaresigs.com/2013/07/03/another-unknown-ek; 
classtype:trojan-activity; sid:10000084; rev:1;)

Thoughts on the pcre?...not sure if there's a better way..thanks all.

James




More information about the Snort-sigs mailing list