Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule 36535 FP

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 26 Oct 2015 09:47:46 -0600
Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT 
Neutrino exploit kit landing page detected"; flow:to_client, 
established; file_data; content:"return"; content:"join"; within:8; 
content:"MSIE"; distance:0; content:"navigator"; within:60; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; classtype:attempted-user; sid:36535; rev:1;)


Hit
15:43:06  [1:36535:1] EXPLOIT-KIT Neutrino exploit kit landing page 
detected [**] [Classification: Attempted User Privilege Gain] [Priority: 
1] {TCP} 23.67.76.16:80 -> x.x.x.x:63142

2015-10-26T15:43:06+0000        x.x.x.x  63142   23.67.76.16     80      
1       GET     player.ooyala.com       
/v3/MDYzZmYzZjIwNTA0YjI4Y2YyM2JmNTgw?platform=html5-fallback    
http://bleacherreport.com/articles/2577681-arian-foster-injury-updates-on-texans-stars-achilles-and-return?utm_source=newsletter&utm_medium=newsletter&utm_campaign=nfl
 
       Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like 
Gecko    0       149401  200     OK

I've had to nuke this rule for three days now..

James

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: