Re: Rawin EK

[Joel Esler <jesler () sourcefire com>]

On Jun 21, 2013, at 10:05 AM, lists () packetmail net wrote:
> On 06/20/2013 06:02 PM, Joel Esler wrote:
> > Thanks, this is how I added it:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin
> > exploit kit outbound java retrieval"; flow:to_server,established;
> > content:".php?b="; http_uri; content:"&v=1."; distance:0; http_uri;
> > pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy
> > security-ips drop, ruleset community, service http; classtype:trojan-activity;
> > sid:26985; rev:1;)
>
> Great, thanks Joel for the feedback, sig looks good.  Anyone get exploit
> payload, not hostile jar, on this one?

I haven't yet.  

That being said, this is being discussed on another list I'm on right now, and I suggested the name "Rawin" (since 
that's what you called it), and that's the name I think they've adopted for it.  The list hasn't seen the payload for 
it yet either.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!