Re: Injected Eitest Script

[Joshua Williams <joshuwi2 () sourcefire com>]

Hi el cabezon,

Thanks for your submission. Like Geoff pointed out, you don't need to hex
escape the characters in question because they're all ASCII characters.
Also, do you have a PCAP or a list of the sites in question? Once I've got
that, we'll put this rule through testing.


--
Josh Williams
Detection Response Team
TALOS Security Group

On Mon, Oct 3, 2016 at 3:47 PM, Geoffrey Serrao <gserrao () sourcefire com>
wrote:

> The content matches are all ascii, so there is no need to hex escape them:
>
> content:"6fx70x61x63x69x74x79x3ax30x3bx66x69x6cx74x65x72x3ax61x6cx70x
> 68x61x28x6fx70x61x63x69x74x79x3dx30x29x3bx20"; fast_pattern:only;
>
> On Sun, Oct 2, 2016 at 10:04 AM, el cabezon <elcabezzonn () gmail com> wrote:
>
> > I've visited several websites that  follow the same pattern as rule
> > sid:38275, "EXPLOIT-KIT Neutrino exploit kit redirection attempt, but
> > replace the ascii with hex ascii. So i just converted the rule to hex ascii
> > to hex and followed the same template that rule, sid:38275, used. Please
> > let me know if this rule is too bloated. Any critiques and recommendations
> > are welcome.
> >
> >
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
> > Injected EITest script redirection attempt"; flow:to_client,established;
> > file_data; content:"|36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78
> > 37 39 78 33 61 78 33 30 78 33 62 78 36 36 78 36 39 78 36 63 78 37 34 78 36
> > 35 78 37 32 78 33 61 78 36 31 78 36 63 78 37 30 78 36 38 78 36 31 78 32 38
> > 78 36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 64 78
> > 33 30 78 32 39 78 33 62 78 32 30|"; fast_pattern:only; content:"|32 64 78
> > 36 64 78 36 66 78 37 61 78 32 64 78 36 66 78 37 30 78 36 31 78 36 33 78 36
> > 39 78 37 34 78 37 39 78 33 61 78 33 30 78 33 62 78 32 32 78 33 65|";
> > content:"|36 33 78 36 63 78 36 31 78 37 33 78 37 33 78 36 39 78 36 34 78 33
> > 64 78 32 32 78 36 33 78 36 63 78 37 33 78 36 39 78 36 34 78 33 61 78 36 34
> > 78 33 32 78 33 37 78 36 33 78 36 34 78 36 32 78 33 36 78 36 35 78 32 64 78
> > 36 31 78 36 35 78 33 36 78 36 34 78 32 64 78 33 31 78 33 31 78 36 33 78 36
> > 36 78 32 64 78 33 39 78 33 36 78 36 32 78 33 38 78 32 64 78 33 34 78 33 34
> > 78 33 34 78 33 35 78 33 35 78 33 33 78 33 35 78 33 34 78 33 30 78 33 30 78
> > 33 30 78 33 30 78 32 32|"; within:500; classtype:trojan-activity;
> > sid:1000000008;rev:1;)
> >
> >
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!