Snort mailing list archives
Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Tue, 10 Aug 2010 22:24:45 +0000
On 8/10/2010 10:17 PM, Will Metcalf wrote:
Eoin, To be completely honest other than looking at a modification to the behavior of byte_test option parsing I haven't looked at the snort source code in a very long time. This only the observed behavior of content/modifier interaction that I have seen. Hopefully somebody from SF will respond. Regards, Will
Well with your suggestions/modifications, the rules work great now (removing the http_client_body from the second match) and just using hex values seems to help a bit as well. Thank you so much for the input! alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY SEO Exploit Kit - request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|np"; distance:32; classtype:bad-unknown; sid:5600099; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY SEO Exploit Kit - request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; classtype:bad-unknown; sid:5600100; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY SEO Exploit Kit - request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:32; classtype:bad-unknown; sid:5600101; rev:3;) -- Eoin ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Matt Watchinski (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Alex Kirk (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Matt Watchinski (Aug 11)