Snort mailing list archives
Re: Private Exploit Kit
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 5 Jul 2013 13:56:08 -0400
James, I’m working on this exploit kit right now. Your sig below does fire on one of the examples I have so I’ll tweak it some. Thanks. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jul 5, 2013, at 1:44 PM, James Lay <jlay () slave-tothe-box net> wrote:
Let's hope this isn't a muffed sig: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Private Exploit Kit outbound traffic"; flow:to_server,established; content:"Java|2f|1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:10000084; rev:1;) Thoughts on the pcre?...not sure if there's a better way..thanks all. James ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Private Exploit Kit James Lay (Jul 05)
- Re: Private Exploit Kit Joel Esler (Jul 05)
- Re: Private Exploit Kit James Lay (Jul 05)
- Re: Private Exploit Kit Joel Esler (Jul 05)