Re: Rig Exploit Kit outbound URI request signature

[Geoffrey Serrao <gserrao () sourcefire com>]

Excellent point Nathan. My only concern would be entering the PCRE too
often (slight concern).

Ideally I'd like to include at least a 'depth' modifier or 'urilen' before
the content match. We shall see what comes out of testing!


On Thu, Jul 10, 2014 at 12:20 PM, lists () packetmail net <lists () packetmail net
> wrote:

> On 07/10/2014 11:03 AM, Geoffrey Serrao wrote:
> > I've put into testing two rules which should cover both cases.
>
> I wouldn't fixate on the names in the .html files, they vary.  This is
> what Ify,
> Will, and I came up with on the Emerging-Threats side:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS
> food.com compromise hostile JavaScript gate";
> flow:established,to_server;
> content:".html?0."; http_uri; fast_pattern:only;
> pcre:"/\/[a-z]{1,3}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity;
> sid:2018505; rev:4;)
>
> Hmm, that's strange, the [a-z] should be {1,6} not {1,3} -- letting Will
> know now.
>
> Cheers,
> Nathan Fowler
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!