[Emerging-Sigs] Styx EK

Will Metcalf wmetcalf at emergingthreatspro.com
Thu Dec 27 09:26:27 HAST 2012


Already have coverage as "Unknown_gmf".. Will update msg on next rule rev.

Regards,

Will



On Thu, Dec 27, 2012 at 2:13 AM, n0cturnal <n0cturnal.infosec at gmail.com>wrote:

> Greetings ET,
>
> I hope everyone had a great holiday. I'm not sure if we are covered on
> this or not but below are some proposed signatures for Styx EK. Please
> forgive me as I am still new at this rule writing thing. Any feedback would
> be appreciated. Thanks
>
>
> Landing -
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> Styx Landing Page"; flow:established,to_server;
> content:"/getmyfile.exe?o=1&h="; http_uri;
> pcre:"\/[a-zA-Z0-9]{150,}"; reference:url,
> malwaresigs.com/2012/12/19/styx-exploit-kit/
> ; reference:url,
> malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html
> ;
> classtype:trojan-activity; sid:xxxxxxx; rev:1;)
>
> PDF -
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> Styx PDF Exploit"; flow:established,to_server; content:".pdf"; http_uri;
> pcre:"\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.pdf$"; reference:url,
> malwaresigs.com/2012/12/19/styx-exploit-kit/
> ; reference:url,
> malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html;
> classtype:trojan-activity; sid:x; rev:1;)
>
> JAR -
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> Styx Java Exploit Recent Jar"; flow:established,to_server;
> content:"Java/"; http_header; content:".jar"; http_uri; nocase;
> pcre:\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.jar$; reference:url,
> malwaresigs.com/2012/12/19/styx-exploit-kit/
> ; reference:url,
> malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html;
> classtype:trojan-activity; sid:x; rev:1;)
>
> Payload -
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
> Styx Payload Request"; flow:established,to_server;
> content:"/getmyfile.exe?o=1&h="; http_uri;
> pcre:"\/[a-zA-Z0-9]{150,}"; reference:url,
> malwaresigs.com/2012/12/19/styx-exploit-kit/
> ; reference:url,
> malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html;
> classtype:trojan-activity; sid:x; rev:1;)
>
>
>
> References: http://www.malwaresigs.com/2012/12/19/styx-exploit-kit/
>
> http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html
>
>
> Regards,
> -n0ct
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121227/14496776/attachment-0001.html>


More information about the Emerging-sigs mailing list