Snort mailing list archives
Private Exploit Kit
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 05 Jul 2013 11:44:48 -0600
Let's hope this isn't a muffed sig: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Private Exploit Kit outbound traffic"; flow:to_server,established; content:"Java|2f|1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:10000084; rev:1;) Thoughts on the pcre?...not sure if there's a better way..thanks all. James ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Private Exploit Kit James Lay (Jul 05)
- Re: Private Exploit Kit Joel Esler (Jul 05)
- Re: Private Exploit Kit James Lay (Jul 05)
- Re: Private Exploit Kit Joel Esler (Jul 05)