[Emerging-Sigs] SIGS: Sweet Orange and Angler

Kevin Ross kevross33 at googlemail.com
Tue Sep 23 11:25:04 EDT 2014


That is fine as sig was a bit wrong. When I was analying it and I realised
both of the headers don't change I modified it but obviously not cleanly :)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers";
flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997
05|3A|00|3A|00 GMT"; http_header; *content:"Expires|3A|
content:"Last-Modified*|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT";
http_header; fast_pattern:15,20; classtype:trojan-activity;
reference:url,[image:
Inline images 1]www.malware-traffic-analysis.net/2014/09/22/index.html;
sid:193312; rev:1;)

On 23 September 2014 13:14, Darien Huss <dhuss at emergingthreats.net> wrote:

> Thanks Kevin,
>
> The first one is covered by 2019146. The second one is covered by ETPRO
> 2807913, so we will move that over to OPEN today.
>
> Regards,
> Darien
>
> On Tue, Sep 23, 2014 at 4:57 AM, Kevin Ross <kevross33 at googlemail.com>
> wrote:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate";
>> flow:established,to_server; content:"/k?t="; http_uri; depth:5;
>> pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,
>> www.malware-traffic-analysis.net/2014/09/19/index.html; sid:193311;
>> rev:1;)
>>
>> # Seen this in many examples going back to at least Late May/June time so
>> looks pretty consistant.
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
>> CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers";
>> flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997
>> 05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A|
>> content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT";
>> http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,
>> www.malware-traffic-analysis.net/2014/09/22/index.html; sid:193312;
>> rev:1;)
>>
>> Kind Regards,
>> kevin Ross
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140923/1fe2ee15/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.gif
Type: image/gif
Size: 944 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140923/1fe2ee15/attachment.gif>


More information about the Emerging-sigs mailing list