Snort mailing list archives

Previous By Date Next
Previous By Thread Next

flowbits check needed?

From: Y M <snort () outlook com>
Date: Sat, 15 Feb 2014 21:08:45 +0000
I am trying to write this signature but not sure whether to add the flowbits check for the java user agent. Thoughts?
 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; 
flow:to_server,established; content:"/download.asp?p="; http_uri; content:" Java/1."; http_header; fast_pattern:only; 
pcre:"/\download\.asp\?p\=\d{1}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, 
service http; 
reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; 
classtype:trojan-activity; sid: 100160; rev:1;)
 
YM
                                          
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: