[Snort-users] [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2

Eoin Miller eoin.miller at ...14586...
Wed Aug 11 13:08:11 EDT 2010


  Best and final version, looks like mucking around with these may have 
identified a bug in Snort. Now added within keyword to further stop FP's:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for PDF exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|np"; distance:32; within:5; classtype:bad-unknown; 
sid:5600099; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|j"; distance:32; within:4; classtype:bad-unknown; 
sid:5600100; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java and PDF exploits"; 
flow:established,to_server; content:"POST"; http_method; content:"id="; 
http_client_body; content:"|25 32 36|jp"; distance:5; within:5; 
classtype:bad-unknown; sid:5600101; rev:4;)

-- Eoin




More information about the Snort-users mailing list