Snort mailing list archives
Re: Rig Exploit Kit outbound URI request signature
From: "lists () packetmail net" <lists () packetmail net>
Date: Thu, 10 Jul 2014 11:20:00 -0500
On 07/10/2014 11:03 AM, Geoffrey Serrao wrote:
I've put into testing two rules which should cover both cases.
I wouldn't fixate on the names in the .html files, they vary. This is what Ify, Will, and I came up with on the Emerging-Threats side: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS food.com compromise hostile JavaScript gate"; flow:established,to_server; content:".html?0."; http_uri; fast_pattern:only; pcre:"/\/[a-z]{1,3}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity; sid:2018505; rev:4;) Hmm, that's strange, the [a-z] should be {1,6} not {1,3} -- letting Will know now. Cheers, Nathan Fowler ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- <Possible follow-ups>
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)