Snort mailing list archives
Re: FP on EXPLOIT-KIT Angler(1:31046)
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 7 Jan 2015 18:59:44 +0000
We may be able to retire this rule soon. I don’t think this method is used anymore.
On Jan 7, 2015, at 1:49 PM, Andre DiMino <adimino () sempersecurus org> wrote: Actually, the negation I used is uricontent:!"aHR0cDovL"; On Wed, Jan 7, 2015 at 1:31 PM, Andre DiMino <adimino () sempersecurus org <mailto:adimino () sempersecurus org>> wrote:I’ve noted a few FP on the EXPLOIT-KIT Angler exploit kit outbound URL structure (1:31046) signature. The hits all seem to be related to a mobile ad campaigns. For example, these GET requests trigger the sig: GET /aHR0cDovL2VtYWlsLWFzc2V0cy5jYXItaG91bmQuY29tL2NoX2F1dG9fYnJhbmRzMS5wbmc= HTTP/1.1 Host: m.scrallshopping[.]com Connection: keep-alive Accept: image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /aHR0cDovL3d3dy5qb2J0aHVuZGVyLmNvbS9lL3BpeGVsLzZyVE9DaTc1Wm1xRjJTTmVveHFGdFlLTA== HTTP/1.1 Host: m.job-binder[.]com Connection: keep-alive Accept: image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /aHR0cHM6Ly9kMjhvdHV3a213NXg2ai5jbG91ZGZyb250Lm5ldC9wZmNsMi9iYWNrZ3JvdW5kLnBuZw== HTTP/1.1 Host: m.shieldchaz[.]com Connection: keep-alive Accept: image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /aHR0cDovL3d3dy5qb2J0aHVuZGVyLmNvbS9lL3BpeGVsL1ZzZXlVNlpKTUozV1FFaFlFUnhVNUNEZA== HTTP/1.1 Host: m.headhuntexpress[.]com Connection: keep-alive Accept: image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; XT1080 Build/SU5-24) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36 Accept-Encoding: gzip,deflate Accept-Language: en-US X-Requested-With: com.yahoo.mobile.client.android.mail All the Base64 URI point to an image file hosted elsewhere. Some registrations associated with the domains I’ve seen are Cognius, Yorkshire Affiliate Promotions, "ReferenceAdvisor", and Azrael Creatives. The m[dot] domains seem to indicate mobile versions of the site. I'm suspecting it might just be some attempt to obfuscate the URLs of mobile ad campaigns? In any case, while probably not ideal, I'm going to try negating the "aHR0cDovL3" seen in the beginning of the URI to see if it cuts down these particular Angler FP. Any similar observations or thoughts? -- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)-- Andre' M. DiMino DeepEnd Research http://deependresearch.org <http://deependresearch.org/> http://sempersecurus.org <http://sempersecurus.org/> "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FP on EXPLOIT-KIT Angler(1:31046) Andre DiMino (Jan 07)
- Re: FP on EXPLOIT-KIT Angler(1:31046) Andre DiMino (Jan 07)
- Re: FP on EXPLOIT-KIT Angler(1:31046) lists () packetmail net (Jan 07)
- Re: FP on EXPLOIT-KIT Angler(1:31046) Andre DiMino (Jan 07)
- Re: FP on EXPLOIT-KIT Angler(1:31046) Andre DiMino (Jan 07)
- Re: FP on EXPLOIT-KIT Angler(1:31046) lists () packetmail net (Jan 07)
- Re: FP on EXPLOIT-KIT Angler(1:31046) Joel Esler (jesler) (Jan 07)
- Re: FP on EXPLOIT-KIT Angler(1:31046) Andre DiMino (Jan 07)