[Emerging-Sigs] SIGS: Metasploit Java Sigs and Generic Obfuscated Java Sigs

Kevin Ross kevross33 at googlemail.com
Sun Dec 30 12:21:08 HAST 2012


Hi,

A few sigs to cover metasploit stuff. If my thinking is correct all of the
ones to detect obfuscation won't actually work in snort if the javascript
de-obfuscation is enabled so it is more for Suricata.

Regards,
Kevin

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Metasploit Unicode UTF-8 Obfuscated Java Exploit Exploit.class";
flow:established,to_client; file_data;
content:"%45%78%70%6c%6f%69%74%2e%63%6c%61%73%73"; distance:0;
classtype:attempted-user; sid:192131; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Metasploit Unicode UTF-8 Obfuscated Java Exploit Landing Page Structure";
flow:established,to_client; file_data;
content:"<script>document.write(unescape(|22|%3c%68%74%6d%6c%3e%3c%68%65%61%64%3e%3c%2f%68%65%61%64%3e%3c%62%6f%64%79%3e%3c%61%70%70%6c%65%74%20%61%72%63%68%69%76%65%";
fast_pattern:68,20; distance:0; content:"%2e%63%6c%61%73%73"; distance:0;
classtype:attempted-user; sid:192132; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Metasploit Unobfuscated Java Exploit Exploit.class";
flow:established,to_client; file_data;
content:"code=|22|Exploit.class|22|"; distance:0; classtype:attempted-user;
sid:192133; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Unicode UTF-8 Obfuscated Java Exploit"; flow:established,to_client;
file_data; content:"%3c%61%70%70%6c%65%74"; distance:0;
content:"%61%72%63%68%69%76%65%3d"; distance:0; content:"%2e%6a%61%72";
distance:0; content:"%63%6f%64%65%3d"; distance:0;
content:"%2e%63%6c%61%73%73"; distance:0; classtype:attempted-user;
sid:192134; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Unicode UTF-16 Obfuscated Java Exploit"; flow:established,to_client;
file_data; content:"%3c61%7070%6c65%74"; distance:0;
content:"%6172%6368%6976%653d"; distance:0; content:"%2e6a%6172";
distance:0; content:"%636f%6465%3d"; distance:0; content:"%2e63%6c61%7373";
distance:0; classtype:attempted-user; sid:192135; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121230/404e374e/attachment.html>


More information about the Emerging-sigs mailing list