Re: Rig Exploit Kit outbound URI request signature

["lists () packetmail net" <lists () packetmail net>]

On 07/10/2014 11:03 AM, Geoffrey Serrao wrote:
> I've put into testing two rules which should cover both cases. 

I wouldn't fixate on the names in the .html files, they vary.  This is what Ify,
Will, and I came up with on the Emerging-Threats side:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
food.com compromise hostile JavaScript gate";
flow:established,to_server;
content:".html?0."; http_uri; fast_pattern:only;
pcre:"/\/[a-z]{1,3}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity;
sid:2018505; rev:4;)

Hmm, that's strange, the [a-z] should be {1,6} not {1,3} -- letting Will know now.

Cheers,
Nathan Fowler

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!