[Snort-sigs] Rig Exploit Kit outbound URI request signature

Nicholas Mavis (nmavis) nmavis at ...3865...
Thu Jul 3 12:49:56 EDT 2014


We have a few rules for Rig Exploit Kit however here is one for the DGA algorithm used. The reference article and rule are below:

http://www.symantec.com/connect/ko/blogs/rig-exploit-kit-used-recent-website-compromise

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:to_server,established; content:"nbe.html?0."; http_uri; fast_pattern:only; pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:service http; classtype:trojan-activity; )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140703/c739d072/attachment.html>


More information about the Snort-sigs mailing list