alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Spelevo EK Flash Exploit Attempt"; flow:established,to_server; urilen:38; content:"/?s="; http_uri; depth:4; fast_pattern; content:"/?s="; http_header; content:"|0d 0a|"; http_header; distance:34; within:2; pcre:"/^\/\?s=[a-f0-9]{32}[a-z]{2}$/U"; content:"x-flash-version|3a|"; http_header; pcre:"/^Referer\x3a\x20http\:\/\/[^\r\n\x2f]+\/\?s=[a-f0-9]{32}[a-z]{2}\r?\n/Hi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2027145; rev:2; metadata:affected_product Adobe_Flash, attack_target Client_Endpoint, deployment Perimeter, tag Spelevo_EK, signature_severity Major, created_at 2019_04_02, updated_at 2019_04_02;)

Added 2019-04-02 18:23:34 UTC

Topic revision: r1 - 2019-04-02 - TWikiGuest
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats