<div dir="ltr"><div>Thanks Kevin,<br><br>The first one is covered by 2019146. The second one is covered by ETPRO 2807913, so we will move that over to OPEN today.<br><br></div>Regards,<br>Darien<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 23, 2014 at 4:57 AM, Kevin Ross <span dir="ltr"><<a href="mailto:kevross33@googlemail.com" target="_blank">kevross33@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate"; flow:established,to_server; content:"/k?t="; http_uri; depth:5; pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,<a href="http://www.malware-traffic-analysis.net/2014/09/19/index.html" target="_blank">www.malware-traffic-analysis.net/2014/09/19/index.html</a>; sid:193311; rev:1;)<br><br># Seen this in many examples going back to at least Late May/June time so looks pretty consistant. <br><div>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers"; flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997 05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A| content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT"; http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,<a href="http://www.malware-traffic-analysis.net/2014/09/22/index.html" target="_blank">www.malware-traffic-analysis.net/2014/09/22/index.html</a>; sid:193312; rev:1;)<br><br>Kind Regards,<br>kevin Ross<br></div></div>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div><br></div>