Snort mailing list archives

Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Tue, 10 Aug 2010 22:24:45 +0000

  On 8/10/2010 10:17 PM, Will Metcalf wrote:

Eoin,

To be completely honest other than looking at a modification to the
behavior of byte_test option parsing I haven't looked at the snort
source code in a very long time.  This only the observed behavior of
content/modifier interaction that I have seen.  Hopefully somebody
from SF will respond.

Regards,

Will

Well with your suggestions/modifications, the rules work great now 
(removing the http_client_body from the second match) and just using hex 
values seems to help a bit as well. Thank you so much for the input!

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for PDF exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|np"; distance:32; classtype:bad-unknown; sid:5600099; 
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|j"; distance:32; classtype:bad-unknown; sid:5600100; 
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java and PDF exploits"; 
flow:established,to_server; content:"POST"; http_method; content:"id="; 
http_client_body; content:"|25 32 36|jp"; distance:32; 
classtype:bad-unknown; sid:5600101; rev:3;)

-- Eoin



------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 10)
  - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
    - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 10)
    - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 11)
  - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Matt Watchinski (Aug 11)
    - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 11)
    - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 11)
    - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Alex Kirk (Aug 11)
    - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 11)
    - Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Matt Watchinski (Aug 11)