#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; content:"|0d 0a 0d 0a|CWS"; classtype:bad-unknown; sid:2014527; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)

Added 2017-08-07 21:07:56 UTC


##alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; content:"|0d 0a 0d 0a|CWS"; classtype:bad-unknown; sid:2014527; rev:4;)

Added 2014-08-21 23:27:07 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"CWS"; within:3; classtype:bad-unknown; sid:2014527; rev:1;)

Added 2012-04-06 17:29:41 UTC

Multiple false positives - triggered by flash content on i.cdn.turner.com linked from cnn.com and flash content on www.ata.org

-- JonH - 19 Sep 2012


Topic revision: r2 - 2012-09-19 - JonH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats