Snort mailing list archives
Re: Angler Kit download False Positive
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 24 Aug 2016 08:21:27 -0600
On 2016-08-23 22:58, Dheeraj Gupta wrote:
Hi, Signature SID "34720" or "Angler Expolit kit download" is generating false positives on our network. The payload of the offending packet is GET http://3d978f8b966e64b0cfec-6729d756a2f36342416a9128f1759751.r41.cf3.rackcdn.com/Ares-Blue-Pool-1000004722876VAR6_03-554.jpg HTTP/1.1 Host: 3d978f8b966e64b0cfec-6729d756a2f36342416a9128f1759751.r41.cf3.rackcdn.com [1] User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.landmarkshops.in/Women/Tops/Tops-and-Tees/MAX-MAX-Printed-Sleeveless-Top/p/1000004722876VAR6 It seems to me the signature looks for overly long URI's, but with cloud hosting being so common, I guess that is to be expected. Regards, Dheeraj Links: ------ [1] http://3d978f8b966e64b0cfec-6729d756a2f36342416a9128f1759751.r41.cf3.rackcdn.com ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Confirmed...we saw this as well: 08/23-21:36:19.180175 [**] [1:31046:5] EXPLOIT-KIT Angler exploit kit outbound URL structure [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} x.x.x.x:54667 -> 66.117.6.115:80 Link: meow://i.kantu[.]in/aHR0cDovL2VjeC5pbWFnZXMtYW1hem9uLmNvbS9pbWFnZXMvSS81MTRmbzVVeml6TC5qcGc= Tracking gif. James ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Angler Kit download False Positive Dheeraj Gupta (Aug 23)
- <Possible follow-ups>
- Re: Angler Kit download False Positive James Lay (Aug 24)