Snort mailing list archives
Re: Injected Eitest Script
From: el cabezon <elcabezzonn () gmail com>
Date: Mon, 3 Oct 2016 17:50:48 -0400
I appreciate your recommendation Mr. Serrao. Here is the revised rule. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Injected EITest script redirection attempt"; flow:to_client,established; file_data; content:"6fx70x61x63x69x74x79x3ax30x3bx66x69x6cx74x65x72x3ax61x6cx70x68x61x28x6fx70x61x63x69x74x79x3dx30x29x3bx20"; fast_pattern:only; content:"2dx6dx6fx7ax2dx6fx70x61x63x69x74x79x3ax30x3bx22x3e"; content:"63x6cx61x73x73x69x64x3dx22x63x6cx73x69x64x3ax64x32x37x63x64x62x36x65x2dx61x65x36x64x2dx31x31x63x66x2dx39x36x62x38x2dx34x34x34x35x35x33x35x34x30x30x30x30x22"; within:500; classtype:trojan-activity; sid:1000000008;rev:2;)
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Injected Eitest Script el cabezon (Oct 02)
- Re: Injected Eitest Script Geoffrey Serrao (Oct 03)
- Re: Injected Eitest Script Joshua Williams (Oct 03)
- <Possible follow-ups>
- Re: Injected Eitest Script el cabezon (Oct 03)
- Re: Injected Eitest Script el cabezon (Oct 04)
- Re: Injected Eitest Script Geoffrey Serrao (Oct 03)