[Snort-sigs] Rig Exploit Kit outbound URI request signature

lists at ...3397... lists at ...3397...
Thu Jul 10 12:20:00 EDT 2014


On 07/10/2014 11:03 AM, Geoffrey Serrao wrote:
> I've put into testing two rules which should cover both cases. 

I wouldn't fixate on the names in the .html files, they vary.  This is what Ify,
Will, and I came up with on the Emerging-Threats side:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
food.com compromise hostile JavaScript gate";
flow:established,to_server;
content:".html?0."; http_uri; fast_pattern:only;
pcre:"/\/[a-z]{1,3}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity;
sid:2018505; rev:4;)

Hmm, that's strange, the [a-z] should be {1,6} not {1,3} -- letting Will know now.

Cheers,
Nathan Fowler




More information about the Snort-sigs mailing list