alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:4;)

Added 2012-11-09 17:20:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; depth:9; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:3;)

Added 2012-11-08 21:01:55 UTC


Topic revision: r1 - 2012-11-09 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats