Snort mailing list archives
Rule 36535 FP
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 26 Oct 2015 09:47:46 -0600
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE"; distance:0; content:"navigator"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36535; rev:1;) Hit 15:43:06 [1:36535:1] EXPLOIT-KIT Neutrino exploit kit landing page detected [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 23.67.76.16:80 -> x.x.x.x:63142 2015-10-26T15:43:06+0000 x.x.x.x 63142 23.67.76.16 80 1 GET player.ooyala.com /v3/MDYzZmYzZjIwNTA0YjI4Y2YyM2JmNTgw?platform=html5-fallback http://bleacherreport.com/articles/2577681-arian-foster-injury-updates-on-texans-stars-achilles-and-return?utm_source=newsletter&utm_medium=newsletter&utm_campaign=nfl Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0 149401 200 OK I've had to nuke this rule for three days now.. James ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule 36535 FP James Lay (Oct 26)