Snort mailing list archives

Re: Injected Eitest Script

From: el cabezon <elcabezzonn () gmail com>
Date: Mon, 3 Oct 2016 17:50:48 -0400

I appreciate your recommendation Mr. Serrao. Here is the revised rule.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Injected EITest script redirection attempt"; flow:to_client,established;
file_data;
content:"6fx70x61x63x69x74x79x3ax30x3bx66x69x6cx74x65x72x3ax61x6cx70x68x61x28x6fx70x61x63x69x74x79x3dx30x29x3bx20";
fast_pattern:only;
content:"2dx6dx6fx7ax2dx6fx70x61x63x69x74x79x3ax30x3bx22x3e";
content:"63x6cx61x73x73x69x64x3dx22x63x6cx73x69x64x3ax64x32x37x63x64x62x36x65x2dx61x65x36x64x2dx31x31x63x66x2dx39x36x62x38x2dx34x34x34x35x35x33x35x34x30x30x30x30x22";
within:500; classtype:trojan-activity; sid:1000000008;rev:2;)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Injected Eitest Script el cabezon (Oct 02)
- Re: Injected Eitest Script Geoffrey Serrao (Oct 03)
  - Re: Injected Eitest Script Joshua Williams (Oct 03)
- <Possible follow-ups>
- Re: Injected Eitest Script el cabezon (Oct 03)
- Re: Injected Eitest Script el cabezon (Oct 04)