Snort mailing list archives
flowbits check needed?
From: Y M <snort () outlook com>
Date: Sat, 15 Feb 2014 21:08:45 +0000
I am trying to write this signature but not sure whether to add the flowbits check for the java user agent. Thoughts? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/\download\.asp\?p\=\d{1}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:1;) YM
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- flowbits check needed? Y M (Feb 15)
- Re: flowbits check needed? rmkml (Feb 15)
- Re: flowbits check needed? Y M (Feb 15)
- Re: flowbits check needed? Joel Esler (jesler) (Feb 16)
- Re: flowbits check needed? Y M (Feb 16)
- Re: flowbits check needed? Y M (Feb 15)
- Re: flowbits check needed? rmkml (Feb 15)