Snort mailing list archives

Re: Rawin EK

From: "lists () packetmail net" <lists () packetmail net>
Date: Fri, 21 Jun 2013 09:05:56 -0500

On 06/20/2013 06:02 PM, Joel Esler wrote:


Thanks, this is how I added it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin
exploit kit outbound java retrieval"; flow:to_server,established;
content:".php?b="; http_uri; content:"&v=1."; distance:0; http_uri;
pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:26985; rev:1;)


Great, thanks Joel for the feedback, sig looks good.  Anyone get exploit
payload, not hostile jar, on this one?

Cheers,
Nathan


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Rawin EK Community Proposed (Jun 20)
- Re: Rawin EK Joel Esler (Jun 20)
  - Re: Rawin EK lists () packetmail net (Jun 21)
    - Re: Rawin EK Joel Esler (Jun 21)