Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rig Exploit Kit outbound URI request signature

From: Geoffrey Serrao <gserrao () sourcefire com>
Date: Thu, 10 Jul 2014 11:33:48 -0400
Hi Nick,

Thanks for submitting this. I'll go ahead and push this rule to our testing
sensors.


On Thu, Jul 10, 2014 at 11:21 AM, Nicholas Mavis (nmavis) <nmavis () cisco com>
wrote:


 No love for this rule?

  From: nmavis <nmavis () cisco com>
Date: Thursday, July 3, 2014 at 1:03 PM
To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>
Subject: Re: [Snort-sigs] Rig Exploit Kit outbound URI request signature

  Forgot a forward slash in the content match. Revised below:

 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Rig Exploit Kit Outbound DGA Request"; flow:to_server,established;
content:”/nbe.html?0."; http_uri; fast_pattern:only;
pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”;
flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight;
metadata:service http; classtype:trojan-activity; )

  From: nmavis <nmavis () cisco com>
Date: Thursday, July 3, 2014 at 12:49 PM
To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>
Subject: [Snort-sigs] Rig Exploit Kit outbound URI request signature

  We have a few rules for Rig Exploit Kit however here is one for the DGA
algorithm used. The reference article and rule are below:


http://www.symantec.com/connect/ko/blogs/rig-exploit-kit-used-recent-website-compromise

 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Rig Exploit Kit Outbound DGA Request"; flow:to_server,established;
content:"nbe.html?0."; http_uri; fast_pattern:only;
pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”;
flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight;
metadata:service http; classtype:trojan-activity; )


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: