Home page logo

snort logo Snort mailing list archives

Re: Rawin EK
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 21 Jun 2013 10:32:05 -0400

On Jun 21, 2013, at 10:05 AM, lists () packetmail net wrote:
On 06/20/2013 06:02 PM, Joel Esler wrote:

Thanks, this is how I added it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin
exploit kit outbound java retrieval"; flow:to_server,established;
content:".php?b="; http_uri; content:"&v=1."; distance:0; http_uri;
pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:26985; rev:1;)

Great, thanks Joel for the feedback, sig looks good.  Anyone get exploit
payload, not hostile jar, on this one?

I haven't yet.  

That being said, this is being discussed on another list I'm on right now, and I suggested the name "Rawin" (since 
that's what you called it), and that's the name I think they've adopted for it.  The list hasn't seen the payload for 
it yet either.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
This SF.net email is sponsored by Windows:

Build for Windows Store.

Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]