[Snort-sigs] flowbits check needed?

Y M snort at ...3751...
Sat Feb 15 16:08:45 EST 2014


I am trying to write this signature but not sure whether to add the flowbits check for the java user agent. Thoughts?
 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/\download\.asp\?p\=\d{1}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:1;)
 
YM
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140215/53df4763/attachment.html>


More information about the Snort-sigs mailing list