[Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request

Y M snort at ...3751...
Wed Sep 24 11:46:52 EDT 2014

Inline please.

Date: Wed, 24 Sep 2014 08:37:34 -0400
From: joe.gedeon at ...2420...
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash	exploit payload request

With this new signature we are getting quite a few false positives for this signature.   Looking at the documentation linked in the signature it seems the section about not having a referrer was common in these.  Is there documentation that shows a recent version of the Astrum exploit kit is now accepting requests with referrers in the header?
"with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored"
# I believe the author of the article was referring to the landing page of the exploit kit. If you look at the pcaps made available by the author of the article, all landing page did not    have the referer HTTP header. In this case, the payload request (or redirection) is referred by the landing page, in other words, the payload request has the landing page URL    as the referer.  
It seems this rule is completely missing the exploit attempt and is creating a high number of false positives.
# I just ran the sigs (sid:319565 - sid:31972) against the same pcaps of the article's author and the detection is there. How is it missing the exploit attempt? Or am I missing     something? :)
A sample ascii packet that the rule is triggering on:07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto TCP (6), length 1052) > Flags [P.], cksum 0x617e (correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012E...J. at ...3957...[.P...a~..GET /v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd. HTTP/1.1Accept: */*Accept-Language: en-USReferer: http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250&x-flash-version: 11,8,800,175Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0;)Host: brxserv-20.btrll.comConnection: Keep-AliveCookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ; MEB=BUqRdAABPPEAOtI8AAHejA
# Just to be clear, does the above capture represent an actual exploit or the FP you are referring to? 

Registered Linux User # 379282

Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140924/b5a7c5c0/attachment.html>

More information about the Snort-sigs mailing list