Snort mailing list archives
Rule 31971 FP
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 19 Jul 2016 12:25:37 -0600
Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; urilen:>60,norm; content:"GET"; content:".. HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:6;) Hit: 15:18:17 [1:31971:6] EXPLOIT-KIT Astrum exploit kit multiple exploit download request [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} x.x.x.31:36964 -> 54.214.7.76:80 Minidump: GET /img/BAQgBEAEawAJ2THSsgosiINnMMOKPnivWKSK-WmHHLwvtmTf2TDI_GvIodQ_BC3ECFW2pB4Rc0SaWcahwD5LCxpQzMF_iWQ4FzrBHmsPmd6bPzMMiCxzSlfbe--xjlKsUxGAHQKUuu-4FaP0lhe4w9Q7YNdyLgjPcbAgTleTkNjG-QkEwLHUdHvkL_8ShmCfMeM2T3n7S4-H1imfbeKh6Yx8jflgCNQ858ep-BI_FfDJA-v4-JKKGTDrgyOyiYiZFkt0cioCGmkc2Wy7qHr2QoZbvzYXurKhmYUpaoZCmwT-0s4ZUCpxDXHVtM9X6GMvN0GH_qXUzDqtaG8AkmOYFEpsSz9r7tBteJcTy_6HiFntanl3eXlOp8o7MaY_FAj8D1tUI_R95rauArAkdaUcPHiu58Kf7uGPyFuV9tFNoFQPRzsl_J81Awg HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7169; ms-office; MSOffice 14)..Cookie: memclid=21b57a19-e2e0-42a2-951d-e002566897f9; nfvdid=BQFmAAEBEELUkqGYP7%2FKyVGLUWVNhVYwwGpua4oOhiyvadb1%2BjQgdDwpfFx7O0qavfWycinL7aMBDTBg4byDD1sqttlNb%2BUp Host: beacon.netflix.com Cache-Control: max-stale=0 Connection: Keep-Alive Pragma: no-cache James ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule 31971 FP James Lay (Jul 19)