Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Private Exploit Kit

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 05 Jul 2013 11:44:48 -0600
Let's hope this isn't a muffed sig:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Private Exploit Kit outbound traffic"; flow:to_server,established; 
content:"Java|2f|1"; http_header; 
pcre:"/\x2ephp\x3f[a-z]+=[0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://www.malwaresigs.com/2013/07/03/another-unknown-ek; 
classtype:trojan-activity; sid:10000084; rev:1;)

Thoughts on the pcre?...not sure if there's a better way..thanks all.

James

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: