[Snort-sigs] Rig Exploit Kit outbound URI request signature

Geoffrey Serrao gserrao at ...435...
Thu Jul 10 11:33:48 EDT 2014


Hi Nick,

Thanks for submitting this. I'll go ahead and push this rule to our testing
sensors.


On Thu, Jul 10, 2014 at 11:21 AM, Nicholas Mavis (nmavis) <nmavis at ...3916....>
wrote:

>  No love for this rule?
>
>   From: nmavis <nmavis at ...3865...>
> Date: Thursday, July 3, 2014 at 1:03 PM
> To: "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net>
> Subject: Re: [Snort-sigs] Rig Exploit Kit outbound URI request signature
>
>   Forgot a forward slash in the content match. Revised below:
>
>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
> Rig Exploit Kit Outbound DGA Request"; flow:to_server,established;
> content:”/nbe.html?0."; http_uri; fast_pattern:only;
> pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”;
> flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight;
> metadata:service http; classtype:trojan-activity; )
>
>   From: nmavis <nmavis at ...3865...>
> Date: Thursday, July 3, 2014 at 12:49 PM
> To: "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net>
> Subject: [Snort-sigs] Rig Exploit Kit outbound URI request signature
>
>   We have a few rules for Rig Exploit Kit however here is one for the DGA
> algorithm used. The reference article and rule are below:
>
>
> http://www.symantec.com/connect/ko/blogs/rig-exploit-kit-used-recent-website-compromise
>
>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
> Rig Exploit Kit Outbound DGA Request"; flow:to_server,established;
> content:"nbe.html?0."; http_uri; fast_pattern:only;
> pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”;
> flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight;
> metadata:service http; classtype:trojan-activity; )
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140710/6e9b163b/attachment.html>


More information about the Snort-sigs mailing list