[Snort-sigs] Rawin EK
jesler at ...435...
Fri Jun 21 10:32:05 EDT 2013
On Jun 21, 2013, at 10:05 AM, lists at ...3397... wrote:
> On 06/20/2013 06:02 PM, Joel Esler wrote:
>> Thanks, this is how I added it:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin
>> exploit kit outbound java retrieval"; flow:to_server,established;
>> content:".php?b="; http_uri; content:"&v=1."; distance:0; http_uri;
>> pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy
>> security-ips drop, ruleset community, service http; classtype:trojan-activity;
>> sid:26985; rev:1;)
> Great, thanks Joel for the feedback, sig looks good. Anyone get exploit
> payload, not hostile jar, on this one?
I haven't yet.
That being said, this is being discussed on another list I'm on right now, and I suggested the name "Rawin" (since that's what you called it), and that's the name I think they've adopted for it. The list hasn't seen the payload for it yet either.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs