Snort mailing list archives
Re: Rawin EK
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 21 Jun 2013 10:32:05 -0400
On Jun 21, 2013, at 10:05 AM, lists () packetmail net wrote:
On 06/20/2013 06:02 PM, Joel Esler wrote:Thanks, this is how I added it: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:".php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:1;)Great, thanks Joel for the feedback, sig looks good. Anyone get exploit payload, not hostile jar, on this one?
I haven't yet. That being said, this is being discussed on another list I'm on right now, and I suggested the name "Rawin" (since that's what you called it), and that's the name I think they've adopted for it. The list hasn't seen the payload for it yet either. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rawin EK Community Proposed (Jun 20)
- Re: Rawin EK Joel Esler (Jun 20)
- Re: Rawin EK lists () packetmail net (Jun 21)
- Re: Rawin EK Joel Esler (Jun 21)
- Re: Rawin EK lists () packetmail net (Jun 21)
- Re: Rawin EK Joel Esler (Jun 20)