[Emerging-Sigs] SIGS: Sweet Orange and Angler

Kevin Ross kevross33 at googlemail.com
Tue Sep 23 04:57:57 EDT 2014

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate";
flow:established,to_server; content:"/k?t="; http_uri; depth:5;
pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,
www.malware-traffic-analysis.net/2014/09/19/index.html; sid:193311; rev:1;)

# Seen this in many examples going back to at least Late May/June time so
looks pretty consistant.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers";
flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997
05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A|
content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT";
http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,
www.malware-traffic-analysis.net/2014/09/22/index.html; sid:193312; rev:1;)

Kind Regards,
kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140923/e63f1236/attachment.html>

More information about the Emerging-sigs mailing list