[Snort-sigs] Injected Eitest Script

el cabezon elcabezzonn at ...2420...
Mon Oct 3 17:50:48 EDT 2016


I appreciate your recommendation Mr. Serrao. Here is the revised rule.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Injected EITest script redirection attempt"; flow:to_client,established;
file_data;
content:"6fx70x61x63x69x74x79x3ax30x3bx66x69x6cx74x65x72x3ax61x6cx70x68x61x28x6fx70x61x63x69x74x79x3dx30x29x3bx20";
fast_pattern:only;
content:"2dx6dx6fx7ax2dx6fx70x61x63x69x74x79x3ax30x3bx22x3e";
content:"63x6cx61x73x73x69x64x3dx22x63x6cx73x69x64x3ax64x32x37x63x64x62x36x65x2dx61x65x36x64x2dx31x31x63x66x2dx39x36x62x38x2dx34x34x34x35x35x33x35x34x30x30x30x30x22";
within:500; classtype:trojan-activity; sid:1000000008;rev:2;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161003/dff2a312/attachment.html>


More information about the Snort-sigs mailing list