Snort mailing list archives
Re: Rig Exploit Kit outbound URI request signature
From: Geoffrey Serrao <gserrao () sourcefire com>
Date: Thu, 10 Jul 2014 11:33:48 -0400
Hi Nick, Thanks for submitting this. I'll go ahead and push this rule to our testing sensors. On Thu, Jul 10, 2014 at 11:21 AM, Nicholas Mavis (nmavis) <nmavis () cisco com> wrote:
No love for this rule? From: nmavis <nmavis () cisco com> Date: Thursday, July 3, 2014 at 1:03 PM To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> Subject: Re: [Snort-sigs] Rig Exploit Kit outbound URI request signature Forgot a forward slash in the content match. Revised below: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:to_server,established; content:”/nbe.html?0."; http_uri; fast_pattern:only; pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:service http; classtype:trojan-activity; ) From: nmavis <nmavis () cisco com> Date: Thursday, July 3, 2014 at 12:49 PM To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> Subject: [Snort-sigs] Rig Exploit Kit outbound URI request signature We have a few rules for Rig Exploit Kit however here is one for the DGA algorithm used. The reference article and rule are below: http://www.symantec.com/connect/ko/blogs/rig-exploit-kit-used-recent-website-compromise alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:to_server,established; content:"nbe.html?0."; http_uri; fast_pattern:only; pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:service http; classtype:trojan-activity; ) ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- <Possible follow-ups>
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)