[Snort-sigs] Rawin EK

lists at ...3397... lists at ...3397...
Fri Jun 21 10:05:56 EDT 2013

On 06/20/2013 06:02 PM, Joel Esler wrote:
> Thanks, this is how I added it:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin
> exploit kit outbound java retrieval"; flow:to_server,established;
> content:".php?b="; http_uri; content:"&v=1."; distance:0; http_uri;
> pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy
> security-ips drop, ruleset community, service http; classtype:trojan-activity;
> sid:26985; rev:1;)

Great, thanks Joel for the feedback, sig looks good.  Anyone get exploit
payload, not hostile jar, on this one?


More information about the Snort-sigs mailing list