[Snort-sigs] Injected Eitest Script

Joshua Williams joshuwi2 at ...435...
Mon Oct 3 16:21:56 EDT 2016


Hi el cabezon,

Thanks for your submission. Like Geoff pointed out, you don't need to hex
escape the characters in question because they're all ASCII characters.
Also, do you have a PCAP or a list of the sites in question? Once I've got
that, we'll put this rule through testing.


--
Josh Williams
Detection Response Team
TALOS Security Group

On Mon, Oct 3, 2016 at 3:47 PM, Geoffrey Serrao <gserrao at ...435...>
wrote:

> The content matches are all ascii, so there is no need to hex escape them:
>
> content:"6fx70x61x63x69x74x79x3ax30x3bx66x69x6cx74x65x72x3ax61x6cx70x
> 68x61x28x6fx70x61x63x69x74x79x3dx30x29x3bx20"; fast_pattern:only;
>
> On Sun, Oct 2, 2016 at 10:04 AM, el cabezon <elcabezzonn at ...2420...> wrote:
>
>> I've visited several websites that  follow the same pattern as rule
>> sid:38275, "EXPLOIT-KIT Neutrino exploit kit redirection attempt, but
>> replace the ascii with hex ascii. So i just converted the rule to hex ascii
>> to hex and followed the same template that rule, sid:38275, used. Please
>> let me know if this rule is too bloated. Any critiques and recommendations
>> are welcome.
>>
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
>> Injected EITest script redirection attempt"; flow:to_client,established;
>> file_data; content:"|36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78
>> 37 39 78 33 61 78 33 30 78 33 62 78 36 36 78 36 39 78 36 63 78 37 34 78 36
>> 35 78 37 32 78 33 61 78 36 31 78 36 63 78 37 30 78 36 38 78 36 31 78 32 38
>> 78 36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 64 78
>> 33 30 78 32 39 78 33 62 78 32 30|"; fast_pattern:only; content:"|32 64 78
>> 36 64 78 36 66 78 37 61 78 32 64 78 36 66 78 37 30 78 36 31 78 36 33 78 36
>> 39 78 37 34 78 37 39 78 33 61 78 33 30 78 33 62 78 32 32 78 33 65|";
>> content:"|36 33 78 36 63 78 36 31 78 37 33 78 37 33 78 36 39 78 36 34 78 33
>> 64 78 32 32 78 36 33 78 36 63 78 37 33 78 36 39 78 36 34 78 33 61 78 36 34
>> 78 33 32 78 33 37 78 36 33 78 36 34 78 36 32 78 33 36 78 36 35 78 32 64 78
>> 36 31 78 36 35 78 33 36 78 36 34 78 32 64 78 33 31 78 33 31 78 36 33 78 36
>> 36 78 32 64 78 33 39 78 33 36 78 36 32 78 33 38 78 32 64 78 33 34 78 33 34
>> 78 33 34 78 33 35 78 33 35 78 33 33 78 33 35 78 33 34 78 33 30 78 33 30 78
>> 33 30 78 33 30 78 32 32|"; within:500; classtype:trojan-activity;
>> sid:1000000008;rev:1;)
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161003/2c9c3a8c/attachment.html>


More information about the Snort-sigs mailing list