[Emerging-Sigs] Another unknown exploit kit

Chris Wakelin c.d.wakelin at reading.ac.uk
Tue Oct 11 11:55:07 EDT 2011


On 11/10/11 16:41, Nathan wrote:
> 
> Thanks for your reply Martin, I'm not having any issues I was more or less
> commenting on Chris' scenario where it appears ET POLICY sets the flowbit used
> in ET CURRENT_EVENTS or ET TROJAN which in my eyes may be bad from the aspect of
> expecting folks to be using ET POLICY to drive coverage for ET TROJAN/ET
> CURRENT_EVENTS.

Yes, it was me that was running without the emerging-policy.rules
included. I've actually added the "Vulnerable Java" ones now, though
strangely still no hits on Eoin's rule. Perhaps a bug in Suricata or my
setup (or my interpretation!)

> 
> Perhaps a flowbits rule may be a good idea like what Joel had said they're doing.

Yes, sounds good to me! It might be also be a good idea to flag up
missing flowbits when the rules are loaded and presumably miss out the
rules that require them.

BTW - back to the original topic - they're now serving up a trojan
(http://www.threatexpert.com/report.aspx?md5=474d9c3db60910059d19e700487f756b),
similar to what Martin found on 27th September, that downloads more from
the same site at /dl/ex.php?[1-3]. These should match my proposed rules
though.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list