Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request

From: Joe Gedeon <joe.gedeon () gmail com>
Date: Wed, 24 Sep 2014 08:37:34 -0400
With this new signature we are getting quite a few false positives for this
signature.   Looking at the documentation linked in the signature it seems
the section about not having a referrer was common in these.  Is there
documentation that shows a recent version of the Astrum exploit kit is now
accepting requests with referrers in the header?

"with Astrum : show a referer and you'll get ignored and IP banned.
Firefox, Chrome and Opera are also ignored"

It seems this rule is completely missing the exploit attempt and is
creating a high number of false positives.

A sample ascii packet that the rule is triggering on:
07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto
TCP (6), length 1052)
    192.168.1.28.58269 > 162.208.20.163.80: Flags [P.], cksum 0x617e
(correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012
E...J.@................P......[.P...a~..GET
/v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd.
HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer:
http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250&;
x-flash-version: 11,8,800,175
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0;)
Host: brxserv-20.btrll.com
Connection: Keep-Alive
Cookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ;
MEB=BUqRdAABPPEAOtI8AAHejA


-- 
Registered Linux User # 379282

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: