[Snort-sigs] Injected Eitest Script

Geoffrey Serrao gserrao at ...435...
Mon Oct 3 15:47:57 EDT 2016


The content matches are all ascii, so there is no need to hex escape them:

content:"6fx70x61x63x69x74x79x3ax30x3bx66x69x6cx74x65x72x3ax61x6cx70x68x61x28x6fx70x61x63x69x74x79x3dx30x29x3bx20";
fast_pattern:only;

On Sun, Oct 2, 2016 at 10:04 AM, el cabezon <elcabezzonn at ...2420...> wrote:

> I've visited several websites that  follow the same pattern as rule
> sid:38275, "EXPLOIT-KIT Neutrino exploit kit redirection attempt, but
> replace the ascii with hex ascii. So i just converted the rule to hex ascii
> to hex and followed the same template that rule, sid:38275, used. Please
> let me know if this rule is too bloated. Any critiques and recommendations
> are welcome.
>
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
> Injected EITest script redirection attempt"; flow:to_client,established;
> file_data; content:"|36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78
> 37 39 78 33 61 78 33 30 78 33 62 78 36 36 78 36 39 78 36 63 78 37 34 78 36
> 35 78 37 32 78 33 61 78 36 31 78 36 63 78 37 30 78 36 38 78 36 31 78 32 38
> 78 36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 64 78
> 33 30 78 32 39 78 33 62 78 32 30|"; fast_pattern:only; content:"|32 64 78
> 36 64 78 36 66 78 37 61 78 32 64 78 36 66 78 37 30 78 36 31 78 36 33 78 36
> 39 78 37 34 78 37 39 78 33 61 78 33 30 78 33 62 78 32 32 78 33 65|";
> content:"|36 33 78 36 63 78 36 31 78 37 33 78 37 33 78 36 39 78 36 34 78 33
> 64 78 32 32 78 36 33 78 36 63 78 37 33 78 36 39 78 36 34 78 33 61 78 36 34
> 78 33 32 78 33 37 78 36 33 78 36 34 78 36 32 78 33 36 78 36 35 78 32 64 78
> 36 31 78 36 35 78 33 36 78 36 34 78 32 64 78 33 31 78 33 31 78 36 33 78 36
> 36 78 32 64 78 33 39 78 33 36 78 36 32 78 33 38 78 32 64 78 33 34 78 33 34
> 78 33 34 78 33 35 78 33 35 78 33 33 78 33 35 78 33 34 78 33 30 78 33 30 78
> 33 30 78 33 30 78 32 32|"; within:500; classtype:trojan-activity;
> sid:1000000008;rev:1;)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161003/2f032dd4/attachment.html>


More information about the Snort-sigs mailing list