Snort mailing list archives
Re: Injected Eitest Script
From: Joshua Williams <joshuwi2 () sourcefire com>
Date: Mon, 3 Oct 2016 16:21:56 -0400
Hi el cabezon, Thanks for your submission. Like Geoff pointed out, you don't need to hex escape the characters in question because they're all ASCII characters. Also, do you have a PCAP or a list of the sites in question? Once I've got that, we'll put this rule through testing. -- Josh Williams Detection Response Team TALOS Security Group On Mon, Oct 3, 2016 at 3:47 PM, Geoffrey Serrao <gserrao () sourcefire com> wrote:
The content matches are all ascii, so there is no need to hex escape them: content:"6fx70x61x63x69x74x79x3ax30x3bx66x69x6cx74x65x72x3ax61x6cx70x 68x61x28x6fx70x61x63x69x74x79x3dx30x29x3bx20"; fast_pattern:only; On Sun, Oct 2, 2016 at 10:04 AM, el cabezon <elcabezzonn () gmail com> wrote:I've visited several websites that follow the same pattern as rule sid:38275, "EXPLOIT-KIT Neutrino exploit kit redirection attempt, but replace the ascii with hex ascii. So i just converted the rule to hex ascii to hex and followed the same template that rule, sid:38275, used. Please let me know if this rule is too bloated. Any critiques and recommendations are welcome. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Injected EITest script redirection attempt"; flow:to_client,established; file_data; content:"|36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 61 78 33 30 78 33 62 78 36 36 78 36 39 78 36 63 78 37 34 78 36 35 78 37 32 78 33 61 78 36 31 78 36 63 78 37 30 78 36 38 78 36 31 78 32 38 78 36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 64 78 33 30 78 32 39 78 33 62 78 32 30|"; fast_pattern:only; content:"|32 64 78 36 64 78 36 66 78 37 61 78 32 64 78 36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 61 78 33 30 78 33 62 78 32 32 78 33 65|"; content:"|36 33 78 36 63 78 36 31 78 37 33 78 37 33 78 36 39 78 36 34 78 33 64 78 32 32 78 36 33 78 36 63 78 37 33 78 36 39 78 36 34 78 33 61 78 36 34 78 33 32 78 33 37 78 36 33 78 36 34 78 36 32 78 33 36 78 36 35 78 32 64 78 36 31 78 36 35 78 33 36 78 36 34 78 32 64 78 33 31 78 33 31 78 36 33 78 36 36 78 32 64 78 33 39 78 33 36 78 36 32 78 33 38 78 32 64 78 33 34 78 33 34 78 33 34 78 33 35 78 33 35 78 33 33 78 33 35 78 33 34 78 33 30 78 33 30 78 33 30 78 33 30 78 32 32|"; within:500; classtype:trojan-activity; sid:1000000008;rev:1;) ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Injected Eitest Script el cabezon (Oct 02)
- Re: Injected Eitest Script Geoffrey Serrao (Oct 03)
- Re: Injected Eitest Script Joshua Williams (Oct 03)
- <Possible follow-ups>
- Re: Injected Eitest Script el cabezon (Oct 03)
- Re: Injected Eitest Script el cabezon (Oct 04)
- Re: Injected Eitest Script Geoffrey Serrao (Oct 03)