Snort mailing list archives
SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request
From: Joe Gedeon <joe.gedeon () gmail com>
Date: Wed, 24 Sep 2014 08:37:34 -0400
With this new signature we are getting quite a few false positives for this signature. Looking at the documentation linked in the signature it seems the section about not having a referrer was common in these. Is there documentation that shows a recent version of the Astrum exploit kit is now accepting requests with referrers in the header? "with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored" It seems this rule is completely missing the exploit attempt and is creating a high number of false positives. A sample ascii packet that the rule is triggering on: 07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto TCP (6), length 1052) 192.168.1.28.58269 > 162.208.20.163.80: Flags [P.], cksum 0x617e (correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012 E...J.@................P......[.P...a~..GET /v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd. HTTP/1.1 Accept: */* Accept-Language: en-US Referer: http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250& x-flash-version: 11,8,800,175 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0;) Host: brxserv-20.btrll.com Connection: Keep-Alive Cookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ; MEB=BUqRdAABPPEAOtI8AAHejA -- Registered Linux User # 379282
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request Joe Gedeon (Sep 24)