Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rig Exploit Kit outbound URI request signature

From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Thu, 3 Jul 2014 16:49:56 +0000
We have a few rules for Rig Exploit Kit however here is one for the DGA algorithm used. The reference article and rule 
are below:

http://www.symantec.com/connect/ko/blogs/rig-exploit-kit-used-recent-website-compromise

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; 
flow:to_server,established; content:"nbe.html?0."; http_uri; fast_pattern:only; 
pcre:"/^\/nbe\.html\?0\.[0-9]{16,17}$/Ui”; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; 
metadata:service http; classtype:trojan-activity; )

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: