Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule 31971 FP

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 19 Jul 2016 12:25:37 -0600
Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT 
Astrum exploit kit multiple exploit download request"; 
flow:to_server,established; urilen:>60,norm; content:"GET"; content:".. 
HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; 
content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; 
flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; 
metadata:ruleset community, service http; 
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; 
classtype:trojan-activity; sid:31971; rev:6;)

Hit:
15:18:17  [1:31971:6] EXPLOIT-KIT Astrum exploit kit multiple exploit 
download request [**] [Classification: A Network Trojan was Detected] 
[Priority: 1] {TCP} x.x.x.31:36964 -> 54.214.7.76:80

Minidump:

GET 
/img/BAQgBEAEawAJ2THSsgosiINnMMOKPnivWKSK-WmHHLwvtmTf2TDI_GvIodQ_BC3ECFW2pB4Rc0SaWcahwD5LCxpQzMF_iWQ4FzrBHmsPmd6bPzMMiCxzSlfbe--xjlKsUxGAHQKUuu-4FaP0lhe4w9Q7YNdyLgjPcbAgTleTkNjG-QkEwLHUdHvkL_8ShmCfMeM2T3n7S4-H1imfbeKh6Yx8jflgCNQ858ep-BI_FfDJA-v4-JKKGTDrgyOyiYiZFkt0cioCGmkc2Wy7qHr2QoZbvzYXurKhmYUpaoZCmwT-0s4ZUCpxDXHVtM9X6GMvN0GH_qXUzDqtaG8AkmOYFEpsSz9r7tBteJcTy_6HiFntanl3eXlOp8o7MaY_FAj8D1tUI_R95rauArAkdaUcPHiu58Kf7uGPyFuV9tFNoFQPRzsl_J81Awg

HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; 
Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 
14.0.7169; ms-office; MSOffice 14)..Cookie: 
memclid=21b57a19-e2e0-42a2-951d-e002566897f9;
nfvdid=BQFmAAEBEELUkqGYP7%2FKyVGLUWVNhVYwwGpua4oOhiyvadb1%2BjQgdDwpfFx7O0qavfWycinL7aMBDTBg4byDD1sqttlNb%2BUp
Host: beacon.netflix.com
Cache-Control: max-stale=0
Connection: Keep-Alive
Pragma: no-cache

James

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: