[Snort-sigs] Injected Eitest Script

el cabezon elcabezzonn at ...2420...
Sun Oct 2 10:04:54 EDT 2016


I've visited several websites that  follow the same pattern as rule
sid:38275, "EXPLOIT-KIT Neutrino exploit kit redirection attempt, but
replace the ascii with hex ascii. So i just converted the rule to hex ascii
to hex and followed the same template that rule, sid:38275, used. Please
let me know if this rule is too bloated. Any critiques and recommendations
are welcome.


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Injected EITest script redirection attempt"; flow:to_client,established;
file_data; content:"|36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78
37 39 78 33 61 78 33 30 78 33 62 78 36 36 78 36 39 78 36 63 78 37 34 78 36
35 78 37 32 78 33 61 78 36 31 78 36 63 78 37 30 78 36 38 78 36 31 78 32 38
78 36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 64 78
33 30 78 32 39 78 33 62 78 32 30|"; fast_pattern:only; content:"|32 64 78
36 64 78 36 66 78 37 61 78 32 64 78 36 66 78 37 30 78 36 31 78 36 33 78 36
39 78 37 34 78 37 39 78 33 61 78 33 30 78 33 62 78 32 32 78 33 65|";
content:"|36 33 78 36 63 78 36 31 78 37 33 78 37 33 78 36 39 78 36 34 78 33
64 78 32 32 78 36 33 78 36 63 78 37 33 78 36 39 78 36 34 78 33 61 78 36 34
78 33 32 78 33 37 78 36 33 78 36 34 78 36 32 78 33 36 78 36 35 78 32 64 78
36 31 78 36 35 78 33 36 78 36 34 78 32 64 78 33 31 78 33 31 78 36 33 78 36
36 78 32 64 78 33 39 78 33 36 78 36 32 78 33 38 78 32 64 78 33 34 78 33 34
78 33 34 78 33 35 78 33 35 78 33 33 78 33 35 78 33 34 78 33 30 78 33 30 78
33 30 78 33 30 78 32 32|"; within:500; classtype:trojan-activity;
sid:1000000008;rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161002/30d898a2/attachment.html>


More information about the Snort-sigs mailing list