[Snort-sigs] Rig Exploit Kit outbound URI request signature

Nicholas Mavis (nmavis) nmavis at ...3865...
Thu Jul 3 13:03:17 EDT 2014


Forgot a forward slash in the content match. Revised below:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:to_server,established; content:”/nbe.html?0."; http_uri; fast_pattern:only; pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:service http; classtype:trojan-activity; )

From: nmavis <nmavis at ...3865...<mailto:nmavis at ...3865...>>
Date: Thursday, July 3, 2014 at 12:49 PM
To: "snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...1306...et>" <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...1744...net>>
Subject: [Snort-sigs] Rig Exploit Kit outbound URI request signature

We have a few rules for Rig Exploit Kit however here is one for the DGA algorithm used. The reference article and rule are below:

http://www.symantec.com/connect/ko/blogs/rig-exploit-kit-used-recent-website-compromise

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:to_server,established; content:"nbe.html?0."; http_uri; fast_pattern:only; pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:service http; classtype:trojan-activity; )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140703/79f8514c/attachment.html>


More information about the Snort-sigs mailing list