Snort mailing list archives
Re: Rig Exploit Kit outbound URI request signature
From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Thu, 3 Jul 2014 17:03:17 +0000
Forgot a forward slash in the content match. Revised below: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:to_server,established; content:”/nbe.html?0."; http_uri; fast_pattern:only; pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:service http; classtype:trojan-activity; ) From: nmavis <nmavis () cisco com<mailto:nmavis () cisco com>> Date: Thursday, July 3, 2014 at 12:49 PM To: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: [Snort-sigs] Rig Exploit Kit outbound URI request signature We have a few rules for Rig Exploit Kit however here is one for the DGA algorithm used. The reference article and rule are below: http://www.symantec.com/connect/ko/blogs/rig-exploit-kit-used-recent-website-compromise alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:to_server,established; content:"nbe.html?0."; http_uri; fast_pattern:only; pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:service http; classtype:trojan-activity; )
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- <Possible follow-ups>
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)