Snort mailing list archives
Re: Injected Eitest Script
From: Geoffrey Serrao <gserrao () sourcefire com>
Date: Mon, 3 Oct 2016 15:47:57 -0400
The content matches are all ascii, so there is no need to hex escape them: content:"6fx70x61x63x69x74x79x3ax30x3bx66x69x6cx74x65x72x3ax61x6cx70x68x61x28x6fx70x61x63x69x74x79x3dx30x29x3bx20"; fast_pattern:only; On Sun, Oct 2, 2016 at 10:04 AM, el cabezon <elcabezzonn () gmail com> wrote:
I've visited several websites that follow the same pattern as rule sid:38275, "EXPLOIT-KIT Neutrino exploit kit redirection attempt, but replace the ascii with hex ascii. So i just converted the rule to hex ascii to hex and followed the same template that rule, sid:38275, used. Please let me know if this rule is too bloated. Any critiques and recommendations are welcome. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Injected EITest script redirection attempt"; flow:to_client,established; file_data; content:"|36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 61 78 33 30 78 33 62 78 36 36 78 36 39 78 36 63 78 37 34 78 36 35 78 37 32 78 33 61 78 36 31 78 36 63 78 37 30 78 36 38 78 36 31 78 32 38 78 36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 64 78 33 30 78 32 39 78 33 62 78 32 30|"; fast_pattern:only; content:"|32 64 78 36 64 78 36 66 78 37 61 78 32 64 78 36 66 78 37 30 78 36 31 78 36 33 78 36 39 78 37 34 78 37 39 78 33 61 78 33 30 78 33 62 78 32 32 78 33 65|"; content:"|36 33 78 36 63 78 36 31 78 37 33 78 37 33 78 36 39 78 36 34 78 33 64 78 32 32 78 36 33 78 36 63 78 37 33 78 36 39 78 36 34 78 33 61 78 36 34 78 33 32 78 33 37 78 36 33 78 36 34 78 36 32 78 33 36 78 36 35 78 32 64 78 36 31 78 36 35 78 33 36 78 36 34 78 32 64 78 33 31 78 33 31 78 36 33 78 36 36 78 32 64 78 33 39 78 33 36 78 36 32 78 33 38 78 32 64 78 33 34 78 33 34 78 33 34 78 33 35 78 33 35 78 33 33 78 33 35 78 33 34 78 33 30 78 33 30 78 33 30 78 33 30 78 32 32|"; within:500; classtype:trojan-activity; sid:1000000008;rev:1;) ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Injected Eitest Script el cabezon (Oct 02)
- Re: Injected Eitest Script Geoffrey Serrao (Oct 03)
- Re: Injected Eitest Script Joshua Williams (Oct 03)
- <Possible follow-ups>
- Re: Injected Eitest Script el cabezon (Oct 03)
- Re: Injected Eitest Script el cabezon (Oct 04)
- Re: Injected Eitest Script Geoffrey Serrao (Oct 03)