alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible PurpleFox? EK Framework URI Struct Flash Request"; flow:established,to_server; urilen:>60; content:"GET"; http_method; content:"rawcdn.githack.com"; http_host; fast_pattern; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.swf$/U"; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2028980; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2019_11_14, updated_at 2019_11_14;)

Added 2019-11-14 19:36:05 UTC


Topic revision: r1 - 2019-11-15 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats