[Snort-users] [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2

Eoin Miller eoin.miller at ...14586...
Tue Aug 10 18:24:45 EDT 2010


  On 8/10/2010 10:17 PM, Will Metcalf wrote:
> Eoin,
>
> To be completely honest other than looking at a modification to the
> behavior of byte_test option parsing I haven't looked at the snort
> source code in a very long time.  This only the observed behavior of
> content/modifier interaction that I have seen.  Hopefully somebody
> from SF will respond.
>
> Regards,
>
> Will
>
Well with your suggestions/modifications, the rules work great now 
(removing the http_client_body from the second match) and just using hex 
values seems to help a bit as well. Thank you so much for the input!

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for PDF exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|np"; distance:32; classtype:bad-unknown; sid:5600099; 
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|j"; distance:32; classtype:bad-unknown; sid:5600100; 
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java and PDF exploits"; 
flow:established,to_server; content:"POST"; http_method; content:"id="; 
http_client_body; content:"|25 32 36|jp"; distance:32; 
classtype:bad-unknown; sid:5600101; rev:3;)

-- Eoin






More information about the Snort-users mailing list