[Snort-sigs] Rule message change 27875

Y M snort at ...3751...
Mon Jan 13 14:47:01 EST 2014

The rule is still relevant though in the context of the exploit kit as it has been observed in a very recent case.

From: jesler at ...3865...
To: joseph.cooper at ...3872...
Date: Wed, 8 Jan 2014 20:55:45 +0000
CC: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Rule message change 27875

On Jan 8, 2014, at 2:22 PM, Joseph Cooper <joseph.cooper at ...3872...> wrote:

I was wanting your opinions and checking to see if we could get the msg for this rule changed. The rule doesn’t actually look for DotCachef itself, but for JJEncoding, which a lot of software and ad sites are starting to use.

Having the rule message state it is an Exploit-Kit has caused fellow analysts to continuously look for what is not there, and I feel a change would be beneficiary to all.

Let me know what you think J


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips
 drop, service http; classtype:trojan-activity; sid:27875; rev:1; )

Sounds good, I’ll adjust it to something more appropriate.

Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140113/5a133d6b/attachment.html>

More information about the Snort-sigs mailing list