[Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request

Joe Gedeon joe.gedeon at ...2420...
Wed Sep 24 08:37:34 EDT 2014


With this new signature we are getting quite a few false positives for this
signature.   Looking at the documentation linked in the signature it seems
the section about not having a referrer was common in these.  Is there
documentation that shows a recent version of the Astrum exploit kit is now
accepting requests with referrers in the header?

"with Astrum : show a referer and you'll get ignored and IP banned.
Firefox, Chrome and Opera are also ignored"

It seems this rule is completely missing the exploit attempt and is
creating a high number of false positives.

A sample ascii packet that the rule is triggering on:
07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto
TCP (6), length 1052)
    192.168.1.28.58269 > 162.208.20.163.80: Flags [P.], cksum 0x617e
(correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012
E...J. at ...3957...[.P...a~..GET
/v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd.
HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer:
http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250&
x-flash-version: 11,8,800,175
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0;)
Host: brxserv-20.btrll.com
Connection: Keep-Alive
Cookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ;
MEB=BUqRdAABPPEAOtI8AAHejA


-- 
Registered Linux User # 379282
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140924/9b668669/attachment.html>


More information about the Snort-sigs mailing list