[Emerging-Sigs] SIGS: Sweet Orange and Angler

Darien Huss dhuss at emergingthreats.net
Tue Sep 23 08:14:04 EDT 2014


Thanks Kevin,

The first one is covered by 2019146. The second one is covered by ETPRO
2807913, so we will move that over to OPEN today.

Regards,
Darien

On Tue, Sep 23, 2014 at 4:57 AM, Kevin Ross <kevross33 at googlemail.com>
wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate";
> flow:established,to_server; content:"/k?t="; http_uri; depth:5;
> pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,
> www.malware-traffic-analysis.net/2014/09/19/index.html; sid:193311;
> rev:1;)
>
> # Seen this in many examples going back to at least Late May/June time so
> looks pretty consistant.
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers";
> flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997
> 05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A|
> content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT";
> http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,
> www.malware-traffic-analysis.net/2014/09/22/index.html; sid:193312;
> rev:1;)
>
> Kind Regards,
> kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140923/0e0dbd56/attachment.html>


More information about the Emerging-sigs mailing list