alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:bad-unknown; sid:2014526; rev:1;)

Added 2012-04-06 17:29:40 UTC

Redacted, this rule depends on 2018576 to set the exploitlanding flowbit, so, that is where to origin of the FP comes from, see 2018576 for info

-- JimMcKibben - 2017-01-12


Topic revision: r2 - 2017-01-12 - JimMcKibben
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats