[Snort-sigs] Rule 36535 FP

James Lay jlay at ...3266...
Mon Oct 26 11:47:46 EDT 2015


Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT 
Neutrino exploit kit landing page detected"; flow:to_client, 
established; file_data; content:"return"; content:"join"; within:8; 
content:"MSIE"; distance:0; content:"navigator"; within:60; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; classtype:attempted-user; sid:36535; rev:1;)


Hit
15:43:06  [1:36535:1] EXPLOIT-KIT Neutrino exploit kit landing page 
detected [**] [Classification: Attempted User Privilege Gain] [Priority: 
1] {TCP} 23.67.76.16:80 -> x.x.x.x:63142

2015-10-26T15:43:06+0000        x.x.x.x  63142   23.67.76.16     80      
1       GET     player.ooyala.com       
/v3/MDYzZmYzZjIwNTA0YjI4Y2YyM2JmNTgw?platform=html5-fallback    
http://bleacherreport.com/articles/2577681-arian-foster-injury-updates-on-texans-stars-achilles-and-return?utm_source=newsletter&utm_medium=newsletter&utm_campaign=nfl 
       Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like 
Gecko    0       149401  200     OK

I've had to nuke this rule for three days now..

James




More information about the Snort-sigs mailing list