[Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request

Joe Gedeon joe.gedeon at ...2420...
Wed Sep 24 08:37:34 EDT 2014

With this new signature we are getting quite a few false positives for this
signature.   Looking at the documentation linked in the signature it seems
the section about not having a referrer was common in these.  Is there
documentation that shows a recent version of the Astrum exploit kit is now
accepting requests with referrers in the header?

"with Astrum : show a referer and you'll get ignored and IP banned.
Firefox, Chrome and Opera are also ignored"

It seems this rule is completely missing the exploit attempt and is
creating a high number of false positives.

A sample ascii packet that the rule is triggering on:
07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto
TCP (6), length 1052) > Flags [P.], cksum 0x617e
(correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012
E...J. at ...3957...[.P...a~..GET
Accept: */*
Accept-Language: en-US
x-flash-version: 11,8,800,175
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Host: brxserv-20.btrll.com
Connection: Keep-Alive
Cookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ;

Registered Linux User # 379282
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140924/9b668669/attachment.html>

More information about the Snort-sigs mailing list