[Snort-sigs] Private Exploit Kit

Joel Esler jesler at ...435...
Fri Jul 5 13:56:08 EDT 2013


James,

I’m working on this exploit kit right now.  Your sig below does fire on one of the examples I have so I’ll tweak it some.

Thanks.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jul 5, 2013, at 1:44 PM, James Lay <jlay at ...3266...> wrote:

> Let's hope this isn't a muffed sig:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Private Exploit Kit outbound traffic"; flow:to_server,established; 
> content:"Java|2f|1"; http_header; 
> pcre:"/\x2ephp\x3f[a-z]+=[0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> reference:url,http://www.malwaresigs.com/2013/07/03/another-unknown-ek; 
> classtype:trojan-activity; sid:10000084; rev:1;)
> 
> Thoughts on the pcre?...not sure if there's a better way..thanks all.
> 
> James
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130705/d65e1094/attachment.html>


More information about the Snort-sigs mailing list