Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request

From: Y M <snort () outlook com>
Date: Wed, 24 Sep 2014 15:46:52 +0000
Inline please.

Date: Wed, 24 Sep 2014 08:37:34 -0400
From: joe.gedeon () gmail com
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash      exploit payload request

With this new signature we are getting quite a few false positives for this signature.   Looking at the documentation 
linked in the signature it seems the section about not having a referrer was common in these.  Is there documentation 
that shows a recent version of the Astrum exploit kit is now accepting requests with referrers in the header?
"with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored"
# I believe the author of the article was referring to the landing page of the exploit kit. If you look at the pcaps 
made available by the author of the article, all landing page did not    have the referer HTTP header. In this case, 
the payload request (or redirection) is referred by the landing page, in other words, the payload request has the 
landing page URL    as the referer.  
It seems this rule is completely missing the exploit attempt and is creating a high number of false positives.
# I just ran the sigs (sid:319565 - sid:31972) against the same pcaps of the article's author and the detection is 
there. How is it missing the exploit attempt? Or am I missing     something? :)
A sample ascii packet that the rule is triggering on:07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags 
[DF], proto TCP (6), length 1052)    192.168.1.28.58269 > 162.208.20.163.80: Flags [P.], cksum 0x617e (correct), seq 
4175168287:4175169299, ack 3935329242, win 65280, length 1012E...J.@................P......[.P...a~..GET 
/v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd.
 HTTP/1.1Accept: */*Accept-Language: en-USReferer: 
http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250&x-flash-version:
 11,8,800,175Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; 
Trident/5.0;)Host: brxserv-20.btrll.comConnection: Keep-AliveCookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ; 
MEB=BUqRdAABPPEAOtI8AAHejA
# Just to be clear, does the above capture represent an actual exploit or the FP you are referring to? 

-- 
Registered Linux User # 379282


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!                                       
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: