[Emerging-Sigs] SIGS: Critx/Flashpack Flash Request & Payload Request

Kevin Ross kevross33 at googlemail.com
Thu Sep 25 04:52:17 EDT 2014


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Critx/Flashpack Flash Exploit Request";
flow:established,to_server; content:"POST"; http_method;
content:"/imageclass/newgater.php"; http_uri; content:"fvers=";
http_client_body; depth:6; classtype:trojan-activity;
reference:md5,ce0fa5d811e0735369366b76b1efd07a; sid:123991; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Critx/Flashpack Payload Request";
flow:established,to_server; content:"/imageclass/load"; http_uri;
content:".php"; http_uri;
pcre:"/^\x2Fimageclass\x2Fload[a-z0-9]{5,15}\x2Ephp$/U";
classtype:trojan-activity; reference:md5,cce12efacf5800fb937d40bbf0b0c4b0;
sid:123992; rev:1;)


Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140925/9f8c30ad/attachment.html>


More information about the Emerging-sigs mailing list