Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2

[Eoin Miller <eoin.miller () trojanedbinaries com>]

  Best and final version, looks like mucking around with these may have 
identified a bug in Snort. Now added within keyword to further stop FP's:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for PDF exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|np"; distance:32; within:5; classtype:bad-unknown; 
sid:5600099; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java exploit"; flow:established,to_server; 
content:"POST"; http_method; content:"id="; http_client_body; 
content:"|25 32 36|j"; distance:32; within:4; classtype:bad-unknown; 
sid:5600100; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - request for Java and PDF exploits"; 
flow:established,to_server; content:"POST"; http_method; content:"id="; 
http_client_body; content:"|25 32 36|jp"; distance:5; within:5; 
classtype:bad-unknown; sid:5600101; rev:4;)

-- Eoin

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users