[Snort-sigs] Rig Exploit Kit outbound URI request signature

Geoffrey Serrao gserrao at ...435...
Thu Jul 10 12:39:59 EDT 2014


Excellent point Nathan. My only concern would be entering the PCRE too
often (slight concern).

Ideally I'd like to include at least a 'depth' modifier or 'urilen' before
the content match. We shall see what comes out of testing!


On Thu, Jul 10, 2014 at 12:20 PM, lists at ...3397... <lists at ...3397...
> wrote:

> On 07/10/2014 11:03 AM, Geoffrey Serrao wrote:
> > I've put into testing two rules which should cover both cases.
>
> I wouldn't fixate on the names in the .html files, they vary.  This is
> what Ify,
> Will, and I came up with on the Emerging-Threats side:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS
> food.com compromise hostile JavaScript gate";
> flow:established,to_server;
> content:".html?0."; http_uri; fast_pattern:only;
> pcre:"/\/[a-z]{1,3}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity;
> sid:2018505; rev:4;)
>
> Hmm, that's strange, the [a-z] should be {1,6} not {1,3} -- letting Will
> know now.
>
> Cheers,
> Nathan Fowler
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140710/c11cb506/attachment.html>


More information about the Snort-sigs mailing list