Snort mailing list archives
Re: SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request
From: Y M <snort () outlook com>
Date: Wed, 24 Sep 2014 15:46:52 +0000
Inline please. Date: Wed, 24 Sep 2014 08:37:34 -0400 From: joe.gedeon () gmail com To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request With this new signature we are getting quite a few false positives for this signature. Looking at the documentation linked in the signature it seems the section about not having a referrer was common in these. Is there documentation that shows a recent version of the Astrum exploit kit is now accepting requests with referrers in the header? "with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored" # I believe the author of the article was referring to the landing page of the exploit kit. If you look at the pcaps made available by the author of the article, all landing page did not have the referer HTTP header. In this case, the payload request (or redirection) is referred by the landing page, in other words, the payload request has the landing page URL as the referer. It seems this rule is completely missing the exploit attempt and is creating a high number of false positives. # I just ran the sigs (sid:319565 - sid:31972) against the same pcaps of the article's author and the detection is there. How is it missing the exploit attempt? Or am I missing something? :) A sample ascii packet that the rule is triggering on:07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto TCP (6), length 1052) 192.168.1.28.58269 > 162.208.20.163.80: Flags [P.], cksum 0x617e (correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012E...J.@................P......[.P...a~..GET /v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd. HTTP/1.1Accept: */*Accept-Language: en-USReferer: http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250&x-flash-version: 11,8,800,175Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0;)Host: brxserv-20.btrll.comConnection: Keep-AliveCookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ; MEB=BUqRdAABPPEAOtI8AAHejA # Just to be clear, does the above capture represent an actual exploit or the FP you are referring to? -- Registered Linux User # 379282 ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request Joe Gedeon (Sep 24)
- Re: SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request Y M (Sep 24)