# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #------------------- # EXPLOIT-KIT RULES #------------------- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; urilen:>60,norm; content:"GET"; content:".. HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jnlp request"; flow:to_server,established; urilen:18; content:".jnlp"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9]{12}\.jnlp$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26964; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jar request"; flow:to_server,established; urilen:14; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-f0-9]{9}\.jar$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26963; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit portable executable download"; flow:to_client,established; file_data; content:"|4F CF 6A BC A1 03 01 00 69|"; depth:9; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26962; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"id="; within:64; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit successful redirection - jnlp bypass"; flow:to_server,established; content:"php?jnlp="; fast_pattern:only; http_uri; pcre:"/php\?jnlp\=[a-f0-9]{10}($|\x2c)/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26541; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"try{document.body-=12|3B|}catch(dv32r3)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26540; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit pdf download detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<< /CreationDate (D|3A|20130404171020)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26539; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit landing page received"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit jar download detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main.class"; content:"NOnoa.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26537; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value="; distance:0; content:"PD"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26535; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit portable executable download"; flow:to_server,established; content:"/elections.php?"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt"; flow:to_server,established; content:"/info/last/index.php"; fast_pattern:only; http_uri; pcre:"/^Host:\s*?[a-f0-9]{63,64}\./Him"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26527; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"|2F 2A 14 20|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit redirection structure"; flow:to_client,established; file_data; content:""; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26511; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bottom.class"; content:"Bottom10.class"; distance:0; content:"Bottom11.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26509; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26508; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit jar file downloaded"; flow:to_client,established; file_data; content:"Suburb.class"; content:"Suburb013.class"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26434; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?j="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?j\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26384; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?i="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?i\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26383; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; urilen:8; content:".jar"; http_uri; content:" Java/1"; http_header; content:"content-type|3A| application/x-java-archive"; fast_pattern:20,20; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"=new Array|3B|EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26368; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Egypack exploit kit outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Egypack/1."; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26367; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"|0A||0A||0A 0A|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn"; flow:to_server,established; content:"/rhino/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27084; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn"; flow:to_server,established; content:"/jmxbean/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27083; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn"; flow:to_server,established; content:"/flash_atf/"; fast_pattern; http_uri; content:".swf"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1535; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27082; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn"; flow:to_server,established; content:"/ie_exec/2.html"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-4969; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27081; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn"; flow:to_server,established; content:"/ff_svg/1.bin"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0757; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27080; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page stage 2"; flow:to_client,established; file_data; content:"global_exploit_list[exploit_idx].resource"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27079; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:" Loading"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27078; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27072; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27071; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious portable executable download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"c|3A 5C|Soft|5C|cebhlpod.txt"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27069; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Tretre.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27068; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(qwqw){"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27067; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<link href=|27|"; content:".css|27| rel=|27|stylesheet|27|><link href=|27|"; within:100; content:"{a={plugins|3A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27026; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"|27| value=|27|JTIw"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27143; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"<html><head><script type=|27|text/javascript|27| src=|22|js/PluginDetect.js|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27142; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09| var"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit numerically named exe file dowload"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:4; distance:4; http_header; pcre:"/filename\=\d{4}\.exe$/H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"counter.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:27242; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page detected"; flow:to_client,established; file_data; content:"<OBJECT CLASSID=|22|clsid|3A|5852F5ED-8BF4-11D4-A245-0080C6F74284|22| width=|22|1|22| height=|22|1|22|><PARAM name=|22|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27241; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"/rhino.php?hash="; fast_pattern:only; http_uri; content:"content-type"; http_header; content:"java-archive"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27274; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit iframe redirection"; flow:established,to_client; file_data; content:"<iframe style=|22|position|3A|fixed|3B|top|3A|0px|3B|left|3A|-550px|3B 22| src="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27273; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer toolkit injected iframe detected - specific structure"; flow:to_client,established; file_data; content:"}catch(dgsgsdg"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27271; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"try{++((document.body))}catch(va){if("; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27603; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:" = jref[ind](nip[|22|charAt|22|](i))|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27602; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit successful Java exploit"; flow:to_server,established; content:"?id="; http_uri; content:"&text="; distance:0; fast_pattern; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27697; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:"|0A||0A||0A|"; distance:0; pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28428; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; content:".tpl"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2551; classtype:trojan-activity; sid:28424; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit single digit exe detection"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:6; fast_pattern; http_header; pcre:"/filename=[\x22\x27]?\d\.exe[\x22\x27]?/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28423; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; fast_pattern; http_uri; pcre:"/^\/i.html\?[a-z0-9]{4}\x3D[a-z0-9]{15}/smiU"; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:125; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28478; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound pdf request"; flow:to_server,established; urilen:<25; content:".pdf"; http_uri; content:"/i.html?"; fast_pattern:only; http_header; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28477; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request by Java - generic detection"; flow:to_server,established; urilen:21<>39; content:":8000"; fast_pattern:only; http_header; content:" Java/1."; http_header; pcre:"/\/[a-z]+\?[a-z]+\=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28476; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:":8000/"; fast_pattern:only; http_header; content:"Referer"; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28475; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit payload download attempt"; flow:to_server,established; urilen:15; content:"/1"; depth:2; fast_pattern; http_uri; pcre:"/^\/1[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:!"Referer"; http_header; content:!"Host|3A| fb.me|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28616; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit exploit download attempt"; flow:to_server,established; urilen:15; content:"/0"; depth:2; fast_pattern; http_uri; pcre:"/^\/0[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:"User-Agent|3A|"; http_header; content:!"Referer"; http_header; flowbits:set,file.exploit_kit.jar; flowbits:set,file.exploit_kit.silverlight; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28615; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"type=|22|application/x-silverlight-2|22|"; content:" $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"|0D 0A 20 20|Microsoft apple.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28613; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Silverlight exploit download"; flow:to_client,established; flowbits:isset,file.exploit_kit.silverlight; file_data; content:"PK"; content:"AppManifest.xaml"; distance:0; content:".dll"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28612; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".rtf"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.rtf$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28611; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retreive attempt"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.doc$/U"; flowbits:set,file.sakura_kit; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:28610; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download"; flow:to_client,established; flowbits:isset,file.sakura_kit; file_data; content:"secretsecretsecretsecretsecretsecret"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28609; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit Atomic exploit download - specific-structure"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main-Class|3A| atomic.Atomic"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28608; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit payload request"; flow:to_server,established; urilen:24<>26,norm; content:"/f/"; fast_pattern:only; http_uri; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28596; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Oracle Java jar file retrieval"; flow:to_server,established; urilen:25<>26,norm; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d{9,10}\/1\d{9}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28595; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; urilen:26,norm; content:".tpl"; fast_pattern:only; http_uri; pcre:"/^\/\d{10}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28594; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28593; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit possibly malicious iframe embedded into a webpage"; flow:to_client,established; file_data; content:"name=Twitter scrolling=auto frameborder=no align=center height="; content:" width="; within:20; content:" src=http|3A 2F 2F|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28798; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt"; flow:to_client,established; file_data; content:"binkeybinkeybinkeybinkeybinkeybinkey"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28797; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT iFRAMEr successful cnt.php redirection"; flow:to_server,established; content:"/cnt.php?id="; fast_pattern:only; http_uri; content:"Referer|3A 20|"; http_header; pcre:"/^\/cnt\.php\?id=\d+$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28796; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy max-detect-ips alert, ruleset community, service http; reference:cve,2012-0507; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:"Host|3A|"; http_header; content:":8000"; within:55; http_header; content:"Referer"; http_header; pcre:"/\x2f[a-z]+\?[a-z]+=\d{6,7}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28911; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string"; flow:to_server,established; content:"/tx.exe"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28969; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound flash exploit retrieval attempt"; flow:to_server,established; content:"/fla.swf"; fast_pattern:only; http_uri; content:"x-flash-version|3A 20|"; http_header; pcre:"/Referer\x3a[^\n]*fla\.php\?wq=[a-f0-9]+\x0d\x0a/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28968; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection"; flow:to_server,established; urilen:>100; content:".php?hgfc="; fast_pattern:only; http_uri; pcre:"/\.php\?hgfc\=[a-f0-9]+$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:28967; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound POST connection"; flow:to_server,established; content:"POST"; http_method; content:"hyt="; depth:4; http_client_body; content:"&vre="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28966; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT HiMan exploit kit Flash Exploit landing page"; flow:to_client,established; file_data; content:"flash_version != null && flash_version[0] < 116000"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28963; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit jar exploit download"; flow:to_server,established; content:".html?jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\.html\?jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29003; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit Silverlight plugin outbound connection attempt"; flow:to_server,established; content:"html?sv="; fast_pattern:only; http_uri; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29002; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SPL2 exploit kit landing page detection"; flow:to_client,established; content:"$$.getVersion(|22|Silverlight|22|)|3B|"; content:"$$.getVersion(|22|Java|22|)"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29001; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt"; flow:to_server,established; urilen:<16; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/\d{1,2}(?P<letter>[A-Z])\d{1,2}(?P=letter)\d{1,2}(?P=letter)\d{1,2}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29131; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload download attempt"; flow:to_server,established; urilen:13; content:" Java/1."; fast_pattern:only; http_header; pcre:"/^\/\d{4}\/\d{7}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29130; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar exploit download - specific structure"; flow:to_server,established; content:"/hanger.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29129; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29128; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit XORed payload download attempt"; flow:to_client,established; file_data; content:"|7C 68 A3 34 36 36 37 38 35 32 33 34 CA C9 37 38|"; depth:16; metadata:impact_flag red, policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/12/cve-2013-5329-or-cve-2013-5330-or.html; classtype:trojan-activity; sid:29066; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D 0A|"; fast_pattern:only; http_header; content:"filename="; http_header; content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_server,established; content:"/loadmsie.php?id="; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29166; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound jar request"; flow:to_server,established; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-f0-9]{32}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29165; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound flash request"; flow:to_server,established; content:".swf"; http_uri; content:"x-flash-version|3A|"; http_header; content:"Referer"; http_header; content:"flash.php?id="; distance:0; http_header; pcre:"/\/[a-f0-9]{32}\.swf$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29164; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound exploit request"; flow:to_server,established; content:".php?id="; http_uri; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=[a-f\d]{20}/iU"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf; metadata:policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:29163; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request"; flow:to_server,established; urilen:34; content:"/?"; depth:2; fast_pattern; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header; content:!"Referer|3A|"; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29189; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit embedded open type font file request"; flow:to_server,established; urilen:37; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/U"; metadata:service http; classtype:trojan-activity; sid:29188; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound pdf request"; flow:to_server,established; urilen:<27; content:".pdf"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^\/\d{8,11}\/1[34]\d{8}\.pdf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[\w_]{32,}\.html\r$/Hsm"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:29187; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound connection"; flow:to_server,established; urilen:<28; content:"/1"; http_uri; content:".htm"; distance:0; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^(\/\d{8,11})?(\/\d)?\/1[34]\d{8}\.htm$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29186; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"nib|28 27|http|3A 2F 2F|"; content:".mp3|27 29 3B|"; within:25; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29361; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"4Um3S0Vm3"; depth:15; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29360; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:>100; content:".eot"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:!"|0D 0A|"; within:100; content:"/fnts.html"; distance:0; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29453; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; http_uri; pcre:"/\/i\.html\?[a-z0-9]+\=[a-zA-Z0-9]{25}/U"; flowbits:set,styx_landing; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29452; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound connection attempt"; flow:to_server,established; content:"/?id=ifrm"; fast_pattern:only; http_header; content:"/?"; depth:2; http_uri; pcre:"/\/\?[a-z0-9]{9}\=[a-zA-Z0-9]{45}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29450; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; flowbits:isset,styx_landing; file_data; content:"<textarea id=|22|"; content:"|22|>"; within:10; isdataat:300,relative; content:!"</textarea>"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29449; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<app|27|+|27|let archive=|22|"; content:".jar|22| code=|22|"; distance:0; content:"<param val|27|+|27|ue=|22|http|3A 2F 2F|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29448; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download - scandsk.exe"; flow:to_client,established; content:"attachment|3B|"; http_header; content:"scandsk.exe|0D 0A|"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:29447; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>100; content:".jar"; fast_pattern:only; http_uri; content:"Cookie"; http_header; content:!"|0D 0A|"; within:100; content:" Java/1"; http_header; pcre:"/\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29446; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit fonts download page"; flow:to_server,established; content:"/fnts.html"; fast_pattern:only; http_uri; pcre:"/\/fnts\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29445; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download"; flow:to_client,established; content:"flashplayer11_"; http_header; file_data; content:"MZ"; depth:2; metadata:service http; classtype:trojan-activity; sid:29444; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|7D 6B F8 64 76 74 6E 66|"; depth:8; metadata:service http; classtype:trojan-activity; sid:29414; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E F2 32 30 34 6E 68|"; depth:8; metadata:service http; classtype:trojan-activity; sid:29413; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit Java download attempt"; flow:to_server,established; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_-]{48}$/Ui"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29412; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"navigator.userAgent.indexOf(|27|Firefox|27|)>=0|7C 7C|navigator.userAgent.indexOf(|27|MSIE|27|)>=0))"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:29411; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older"; flow:to_server,established; content:".php?a=h7"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30009; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP"; flow:to_server,established; content:".php?a=h6"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30008; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17 "; flow:to_server,established; content:".php?a=h5"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30007; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP"; flow:to_server,established; content:".php?a=h4"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30006; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17"; flow:to_server,established; content:".php?a=h3"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30005; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17"; flow:to_server,established; content:".php?a=h2"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30004; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,attack.mitre.org/techniques/T1189; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit Java download attempt"; flow:to_server,established; content:".php?a=r"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30002; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected"; flow:to_client,established; file_data; content:"document.createElement(|22|iframe|22|)"; fast_pattern:only; content:".width"; content:".height"; content:".style.visibility"; within:50; content:".php"; within:300; content:".appendChild("; within:500; pcre:"/var\s(?P<name>\w+)\s?=\s?document\.createElement\x28\x22iframe\x22\x29.*?(?P=name)\.style\.visibility.*?(?P=name)\.src\s?=\s?[\x22\x27][^\x22\x27]*\.php.*?\.appendChild\x28(?P=name)\x29/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30001; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload delivery - specific string"; flow:to_client,established; content:"filename="; http_header; content:"very.mhh"; within:12; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30134; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"frameborder=|22|NO|22| framespacing=|22|0|22| border=|22|0|22|><frame name="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30133; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(?:\/\d)?\/1[34]\d{8}(?:\/\d{9,10})?(?:\/\d)+[^a-zA-Z]{1,6}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30220; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound jar request"; flow:to_server,established; content:"/1"; http_uri; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^(?:\/\d{9,10})?(?:\/\d)?\/1[34]\d{8}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30219; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit Oracle Java file download"; flow:to_client,established; content:"filename="; nocase; http_header; content:"FlashPlayer.jar"; within:17; fast_pattern; http_header; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\?rnd=\d+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30319; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"<html><th>Wait Please...</th><body>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30317; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:".xml|22| name=|22|jnlp_href|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30316; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT WhiteLotus exploit kit plugin outbound detection"; flow:to_server,established; urilen:32; content:"POST"; http_method; content:"v="; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"&w="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30312; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SofosFO/Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30306; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:>32; content:" Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9]){32}[\/_]*?\/\d+?$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30768; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:66; content:" Java/1."; http_header; pcre:"/^\/(?:[a-f0-9]{32}\/[a-f0-9]{32})$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30767; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit landing page"; flow:to_client,established; file_data; content:"<EMBED code="; content:"archive=|22|http|3A 2F 2F|"; distance:0; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\x22/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30766; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - base64 encoded xml/jnlp statement"; flow:to_client,established; file_data; content:"Cjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+CjxqbmxwIHNwZWM9IjEuMCIgeG1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30852; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java"; flow:to_server,established; urilen:<50,norm; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\d+\.mp3$/U"; metadata:service http; classtype:trojan-activity; sid:30878; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound PDF request"; flow:to_server,established; content:".pdf"; http_uri; content:"/1/1"; fast_pattern:only; http_uri; content:".html"; http_header; pcre:"/^\/\d{9,10}\/1\/1\d{9}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:30937; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure"; flow:to_server,established; content:".php?req="; fast_pattern; nocase; http_uri; content:"&PHPSSESID="; distance:0; http_uri; pcre:"/\.php\?req=(?:x(?:ap|ml)|swf(IE)?|mp3|jar)\&/Ui"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:30936; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|3A|stroke id="; fast_pattern:only; content:"|3B|function pop(koz)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30935; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|89 B4 F4 6A 24 1F 46 14|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30934; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; urilen:72; content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30920; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request"; flow:to_server,established; content:"/testi.jnlp"; content:" Java/1."; distance:0; metadata:impact_flag red, service http; classtype:trojan-activity; sid:30960; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"<script>"; content:"var "; within:4; distance:1; content:"|27|toString|27|"; distance:0; pcre:"/var\s+(?P<name>\w+)\=function\(.*?\x27\x2b(?P=name)\(\d+\x29/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30976; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"document.write"; content:"archive="; distance:0; content:".jar"; distance:0; pcre:"/\/[a-f0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30975; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload request"; flow:to_server,established; content:"/load"; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/load(?:(?:db|rh|silver|msie|flash|fla[0-9]{4,5}))\.php/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware-traffic-analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Silverlight landing page"; flow:to_server,established; content:"/silver.php"; fast_pattern:only; http_uri; flowbits:set,critx_font; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30972; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Oracle Java landing page"; flow:to_server,established; content:"/java"; fast_pattern:only; http_uri; pcre:"/\/java(rh|db)\.php$/U"; flowbits:set,critx_java; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:trojan-activity; sid:30971; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Adobe Flash landing page"; flow:to_server,established; content:"/flash201"; fast_pattern:only; http_uri; pcre:"/\/flash201(3|4)\.php$/U"; flowbits:set,critx_flash; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:trojan-activity; sid:30970; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Internet Explorer landing page"; flow:to_server,established; content:"/msie.php"; fast_pattern:only; http_uri; flowbits:set,critx_ie; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30969; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to font exploit"; flow:to_client,established; flowbits:isset,critx_font; file_data; content:"/x-silverlight-2"; content:".eot"; distance:0; content:"aHR0cDov"; distance:0; pcre:"/^[\w+\/]+(?:(?:LmVvdA|5lb3Q)==?|uZW90)[\x22\x27]/Rsi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30968; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"createFlashMarkup"; content:".swf"; distance:0; pcre:"/[a-zA-Z0-9]\/[a-f0-9]{5}\.swf[\x22\x27]/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30967; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Microsoft Internet Explorer exploit"; flow:to_client,established; flowbits:isset,critx_ie; file_data; content:"behavior:url(#default#VML"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30966; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"jnlp_embedded"; content:"C9qbmxwPg=="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30965; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:70<>82; content:"= HTTP/"; fast_pattern:only; content:"User-Agent"; http_header; pcre:"/^\/[-\w]{70,78}==?$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31046; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|21 3B E3 70 65 6E 66 64|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31130; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound swf request"; flow:to_server,established; content:"/1"; http_uri; content:".swf"; fast_pattern:only; http_uri; pcre:"/^(?:\/\d{9,10})?(?:\/[16])?\/1[34]\d{8}\.swf$/U"; metadata:service http; classtype:trojan-activity; sid:31237; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound jar request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/modules\/\d\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31232; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/load_module.php?user="; fast_pattern:only; http_uri; pcre:"/\/load_module\.php\?user\=(n1|1|2|11)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31231; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/add_visitor.php?referrer=http://"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31230; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31229; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"#default#VML"; fast_pattern:only; content:"*/var "; isdataat:500,relative; content:"|3B|function "; within:50; pcre:"/\x3bfunction\s(?P<name>\w)\x28.*\x3b(?P=name)\x28\x22[\da-z]+\x22\x29\x3b/"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:31298; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit decryption page outbound request"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\sHTTP/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31279; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".mkv"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.mkv/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31278; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle Java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".djvu"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.djvu/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31277; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:35; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\/\d+\.\d+\.\d+\.\d+\//"; flowbits:set,file.exploit_kit.flash; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:cve,2013-0634; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31276; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit landing page"; flow:to_client,established; content:"*/adv=|27|OrbitWhite|27|/* "; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31275; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit encrypted binary download"; flow:to_client,established; content:"filename="; content:".jat"; distance:0; pcre:"/filename=[a-z]+\.jat/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31274; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:65,norm; content:"User-Agent"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{64}$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31332; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E C2 32 61 34 6E 68|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31331; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:"Cache-Control|3A 20|no-cache|0D 0A 0D 0A|"; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1\.[^\x2f]+Host\x3a\x20[^\x3a]+\x3a\d+\x0d\x0a/"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31371; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit redirection page"; flow:to_client,established; file_data; content:"var|20|"; content:"|3B 20|var|20|"; within:20; distance:5; content:"|3B 20|if(!Array.prototype.indexOf){"; within:50; distance:5; content:"this.length|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31370; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; pcre:"/^\/\d{2,4}\.xap$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31369; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:ruleset community, service http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request"; flow:to_server,established; content:".x HTTP/1."; fast_pattern:only; content:" MSIE "; http_header; content:!"Referer"; nocase; http_header; flowbits:set,file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31701; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit landing page detection"; flow:to_client,established; file_data; content:"<li class=|22|is-new|22|>"; content:"<a href=|22|show.php"; within:17; distance:1; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31700; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|71 75 B9 86 D8 51 1B 7B|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31699; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 36 F4 6F 6D 6A 66 67|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31695; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page detected"; flow:to_client,established; file_data; content:"=|22|1|3B|url=about|3A|Tabs|22 20|http-equiv"; fast_pattern:only; content:"|5C|x72|5C|x65|5C|x70|5C|x6C|5C|x61|5C|x63|5C|x65"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31692; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detection"; flow:to_client,established; file_data; content:"=|27|+|27 20 22|re|27|+|27|pl|27|+|27|ac|27|+|27|e|22 3B 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31734; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt"; flow:to_client,established; content:"jquery_datepicker"; fast_pattern:only; pcre:"/(var jquery_datepicker=)|(jquery_datepicker.replace)/"; metadata:impact_flag red, service http; reference:url,malware-traffic-analysis.net/2014/08/18/index.html; classtype:trojan-activity; sid:31770; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port"; flow:to_server,established; content:"/stargalaxy.php?nebula="; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31769; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"ZWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31903; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"CWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31902; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected"; flow:to_client,established; file_data; content:"nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31900; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected"; flow:to_client,established; file_data; content:"SYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6Qty"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31899; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|22 29 3B 0A 0D 0A|</script>"; fast_pattern; content:"</script>|0A|<script>"; within:150; content:"|0A 0D 0A|</script>|0D 0A|<h"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31898; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8087 (msg:"EXPLOIT-KIT Scanbox exploit kit exfiltration attempt"; flow:to_server,established; content:"projectid="; depth:10; nocase; content:"&seed="; within:40; nocase; content:"&ip="; within:40; nocase; content:"&referrer="; within:40; nocase; content:"&agent="; within:40; nocase; content:"&location="; within:250; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31859; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_server,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31858; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_client,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31857; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit redirection attempt"; flow:to_server,established; urilen:>60,norm; content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Referer|3A 20|"; http_header; content:"x-req|3A 20|"; fast_pattern; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31970; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit landing page"; flow:to_client,established; file_data; content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f"; distance:0; fast_pattern; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31965; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"expires=|22|+expires.toGMTString()"; nocase; content:"51yes.com/click.aspx?"; fast_pattern; nocase; content:"|22|gb2312|22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31988; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32390; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Oracle Java request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/14\d{8}(.jar)?$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32389; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"*/ new Function(|22|"; content:"|22|,|22|if("; within:20; content:" != |27 27|){"; pcre:"/new\sFunction\x28\x22(?P<a1>\w+)\x22\,\x22if\x28(?P=a1)\x20/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32388; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit jar file download"; flow:to_client,established; content:"filename="; content:".swf"; within:4; distance:8; file_data; content:"PK|03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32387; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound structure"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-9]+(\x3b\d)+?)?$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:32386; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound Oracle Java request"; flow:to_server,established; content:"accept-encoding|3A| pack200-gzip, gzip"; fast_pattern:only; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:" Java/1."; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:32399; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request"; flow:to_server,established; content:"/Plugin.jar"; http_uri; content:" Java/1."; http_header; content:"="; depth:1; offset:32; http_cookie; pcre:"/[a-f0-9]{32}=[a-f0-9]{32}/C"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; classtype:trojan-activity; sid:32555; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hellspawn exploit kit landing page detected"; flow:to_client,established; file_data; content:"weCameFromHell(|27|<applet name=|22|Update Java"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32554; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port"; flow:to_server,established; content:"GET"; content:".jnlp HTTP/1.1"; distance:0; content:" Java/1."; content:"Host"; content:"|3A|"; distance:0; pcre:"/(applet|testi)\.jnlp\sHTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32641; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection"; flow:to_server,established; content:"GET /"; content:".php?"; fast_pattern:only; pcre:"/\w+\.php\?\w+\=\d+\s*HTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32640; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port"; flow:to_server,established; content:"GET"; content:".jar HTTP/1.1"; distance:0; content:" Java/1."; content:"Host|3A|"; pcre:"/Host\x3a[^\n]+\x3a\d+\r\n/"; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:32639; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port"; flow:to_server,established; content:"GET /"; content:"x-flash-version|3A 20|1"; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; pcre:"/Referer\x3a[^\n]+\x3a\d+\x2f/"; metadata:service http; classtype:trojan-activity; sid:32638; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT known malicious javascript packer detected"; flow:to_client,established; file_data; content:"function|28 2F 2A|"; content:"|2A 2F|p,|2F 2A|"; within:25; content:"|2A 2F|a,|2F 2A|"; within:25; content:"|2A 2F|c,|2F 2A|"; within:25; content:"|2A 2F|k,|2F 2A|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/; classtype:misc-activity; sid:32804; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CK exploit kit landing page"; flow:to_client,established; file_data; content:"=|22|i|22|+|22|m|22|+|22|g|22 3B|"; content:"=|22|s|22|+|22|r|22|+|22|c|22 3B|"; within:14; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32803; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; urilen:>36; content:"/ABs"; fast_pattern:only; http_uri; pcre:"/^\/ABs[A-Za-z0-9]+$/U"; flowbits:set,Nuclear; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32880; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit payload delivery"; flow:to_client,established; flowbits:isset,Nuclear; content:"X-Powered-By|3A 20|"; http_header; content:"application/octet-stream"; http_header; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:"filename="; distance:0; http_header; pcre:"/filename=[a-z0-9]+\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32879; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32878; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/13"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}(?:\.swf)$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32877; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})(?:\.xap)$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:32876; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit Adobe Flash download"; flow:to_client,established; flowbits:isset,file.nuclear.flash; content:"x-shockwave-flash"; http_header; content:"filename="; distance:0; http_header; content:".swf"; distance:0; http_header; pcre:"/filename\=\d+\.swf/H"; content:"ZWS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32995; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; file_data; content:"|12 73 00 00 62 05 24 01 C5 25 FF 01 A8 63 05 62 03 62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33187; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8 63 06|"; content:"|62 06 66 01 25 FF 01 A8 C5 25 FF 01 A8 63 09|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33186; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B C7 6A 1E 7C C2 43 EA|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33185; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash download"; flow:to_client,established; content:"Expires|3A| Sat, 26 Jul 2007 05|3A|00|3A|00 GMT"; fast_pattern:only; http_header; content:"x-shockwave-flash"; nocase; http_header; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:33184; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2039"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33183; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request"; flow:to_server,established; urilen:49,norm; content:"Referer"; http_header; content:"x-flash-version|3A|"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{48}$/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:33182; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33274; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33273; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33272; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33271; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|80 E2 3F 18 CF F1 3D 00 C4 1C 6E 7A 9F A6 2F 5D 04 11 2E BF C5 79 FC FC 26 2F F0 88 C6 76 1D C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33286; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"allowScriptAccess=always"; fast_pattern:only; content:"param name=FlashVars"; nocase; content:"value"; within:25; nocase; content:"exec="; within:25; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:33292; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound uri structure"; flow:to_server,established; urilen:27; content:"/lists/"; fast_pattern:only; http_uri; pcre:"/^\/lists\/\d{20}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33663; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>160,norm; content:"/?"; depth:2; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33906; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>80,norm; content:"/index.php?"; depth:11; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33905; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit obfuscated file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A 3F 0B D4 6C 4F 48 61 50|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:33983; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"</script></head>|0D 0A|<body>|0D 0A|<h"; fast_pattern:only; content:"<textarea id=|27|"; content:"|27| title=|27|"; within:25; content:"|27| name=|27|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33982; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit flash file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A|ZWS"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33981; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; fast_pattern:only; http_header; content:".pdf"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b[^\x0d\x0a]filename=[a-z]{5,8}\d{2,3}\.pdf\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.pdf; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34334; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".jar"; fast_pattern:only; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.jar\x0d\x0a/Hm"; file_data; content:"PK"; within:2; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:34332; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".xap"; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.xap\x0d\x0a/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:set,file.exploit_kit.silverlight; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34331; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".swf"; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.swf\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34330; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit payload download"; flow:to_server,established; urilen:49; content:"HTTP/1.1|0D 0A|Host|3A|"; fast_pattern:only; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[\w-]{48}$/U"; metadata:service http; classtype:trojan-activity; sid:34348; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected"; flow:to_client,established; file_data; content:"9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31901; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B 28 FF 53 4B 75 39 68|"; depth:8; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:31694; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit outbound connection attempt"; flow:to_server,established; urilen:>70; content:"User-Agent|3A|"; http_header; content:"/"; depth:2; offset:8; http_uri; content:!"&"; http_uri; content:!"details"; http_uri; content:!"weather"; http_uri; content:!"texture"; http_uri; content:!"mailing"; http_uri; content:!"captcha"; http_uri; content:!"/counters/"; http_uri; content:!"/results/"; http_uri; pcre:"/^\/\/?[a-z0-9_]{7,8}\/\??[0-9a-f]{60,68}[\x3b\x2c\d+]*$/U"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.silverlight&file.exploit_kit.flash; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:29443; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound plugin detection response - generic detection"; flow:to_server,established; urilen:<18,norm; content:"POST"; http_method; content:"Referer|3A|"; http_header; content:"|3A|8000/"; distance:0; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28474; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=jre"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28309; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file download attempt"; flow:to_client,established; flowbits:isset,file.exploit_kit.jar; file_data; content:"PK"; depth:5; content:".class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27816; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Redkit exploit kit short jar request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; content:"content-type|3A| application/x-java-archive"; http_header; pcre:"/^\/[a-z0-9]{1,4}\.jar$/U"; content:!"cbssports.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file dropped"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"BurkinoGoso.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25803; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit exploit download"; flow:to_server,established; urilen:52<>59,norm; content:"."; depth:1; offset:49; http_uri; content:"Referer|3A 20|http|3A 2F 2F|"; http_header; pcre:"/^\/[\w-]{48}\.[a-z]{2,8}[0-9]?$/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f[^\n]+\/\d{10,20}\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.flash&file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34720; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<script>"; content:"/*"; within:100; content:"*/"; within:20; content:".substr|28|"; within:40; content:"/*"; within:10; content:"*/"; within:20; pcre:"/<script>.*?\x2f\x2a\w+\s\x2a\x2f\s*\x22\w+\x22\x2b\x22\w+\x22\x2esubstr\x28\d{2},\d{2}\x29\x2f\x2a\w+\s\x2a\x2f\s\x3b/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2015/06/15/index.html; classtype:trojan-activity; sid:34970; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p"; content:"px|3B| font-style|3A| none|3B| "; within:100; content:"overflow|3A|hidden|3B|"; within:25; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2015/06/15/index.html; classtype:trojan-activity; sid:34969; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Null Hole exploit kit malicious swf request"; flow:to_server,established; urilen:>37; content:".swf"; http_uri; content:"Cookie|3A| nhweb="; fast_pattern:only; pcre:"/\x2f[a-f0-9]{32}\x2f\w+\x2eswf/iU"; metadata:policy security-ips drop, service http; classtype:attempted-user; sid:35085; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Null Hole exploit kit binary download request"; flow:to_server,established; urilen:>43; content:".exe&h="; fast_pattern:only; http_uri; content:"Cookie|3A| nhweb="; content:!"Referer"; http_header; pcre:"/\x2f[a-f0-9]{32}\x2f\w+\d+\x2eexe\x26h\x3d\d/iU"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:35084; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected"; flow:to_server,established; file_data; content:"|0E|IIll1III111I11|0E|Illl1III111I11"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:trojan-activity; sid:35110; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected"; flow:to_client,established; file_data; content:"|0E|IIll1III111I11|0E|Illl1III111I11"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:misc-attack; sid:35109; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p style=|22| width|3A|7px|3B| height|3A|19px|3B| text-overflow|3A| clip|3B 22|>"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:35256; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|B4 51 40 A2 02 12 14 10 AF 80 38 05 B4 54 40 0B 05 34 57 40 33 05 44 2B A0 8A 02 22 14 D0 48 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35335; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt "; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|93 C5 3E 7E 94 C9 64 51 B9 4C F6 DB 7F F7 89 EC C7 B2 E7 EF B5 CC 24 7B 94 C9 A1 DF 42 59 D5 6F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35334; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 49 00 D0 2C 08 61 24 D0 2C 05 61 0C D0 2C 0A 61 35 D0 2C 0B 61 33 D0 2C 16 61 3A D0 2C 03 61 14 D0 2C 0E 61 25 D0 2C 0F 61 30 D0 2C 10 61 2F D0 2C 11 61 2E D0 2C 12 61 20 D0 2C 13 61 3C D0 2C 14 61 31 D0 2C 15 61 34 D0 2C 04 61 37 47|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35333; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<span class=|22|text|22| id = |22|"; content:"|22| style=|22| height|3A|21px|3B| font-style|3A| none|3B| width|3A|7px|3B| |22|><br>"; within:150; metadata:service http; classtype:trojan-activity; sid:35550; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt"; flow:to_server,established; urilen:>80; content:"Accept|3A| */*"; content:"Proxy-Authorization|3A| NTLM "; content:"TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="; within:56; content:"x-flash-version|3A|"; pcre:"/http\x3a\x2f\x2f\w+\x2e\w+\x2f[^\x2e\x2f]{70}/i"; metadata:service http; classtype:attempted-user; sid:35542; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"<script>"; content:"[|22|scr|22|,|22|ipt|22|]|3B|"; distance:0; content:"[|22|j|22|,|22 22|,|22|a|22|,|22|v|22|,|22|a|22|]|3B|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:35845; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit browser version detection attempt"; flow:to_client,established; file_data; content:"inne"; content:"rHTML"; within:15; distance:3; content:"if|28|"; within:20; content:"MSIE"; within:10; content:"[0-7]|5C|.|5C|d+"; within:15; fast_pattern; content:"navigator"; within:30; content:"userAgent"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36071; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Scanbox exploit kit exfiltration attempt"; flow:to_server,established; content:"/new/newscan/i/?10"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:36201; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit relay traffic detected"; flow:to_server,established; content:"DNT|3A| 1"; fast_pattern:only; http_header; content:"Content-Type|3A| application/json|3B| charset=utf-8"; http_header; content:"Content-Length|3A| 1"; http_header; content:"|7B 22|"; depth:2; http_client_body; pcre:"/^\x7b\x22[a-f0-9]{4}\x22\x3a\x22([a-f0-9]{32}|false)\x22,/smiP"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:36315; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit browser detection attempt"; flow:to_client,established; file_data; content:"navigator.maxTouchPoints&&!document.all"; fast_pattern:only; content:"Trident"; content:"window.navigator.vendor"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36286; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p style=|22| width|3A|8px|3B| text-overflow|3A| clip|3B| height|3A|19px|3B 22|>"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:36281; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit relay traffic detected"; flow:to_server,established; content:"access.log HTTP/1.1|0D 0A|Range: bytes="; fast_pattern:only; content:!"User-Agent:"; http_header; pcre:"/^\/[a-z0-9]+\/access\.log$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:36332; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"if|28|this "; content:"return -1|3B|"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36457; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit gate detected"; flow:to_client,established; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; fast_pattern:only; content:"/Trident/"; content:"{return 0}else{return true}"; within:150; metadata:service http; reference:url,malware-traffic-analysis.net/2015/09/11/index.html; classtype:attempted-user; sid:36492; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown exploit kit landing page detected"; flow:to_client,established; file_data; content:"<object classid"; content:"&#"; within:30; pcre:"/<object classid\s*=\s*[\x22\x27][^\x22\x27]{43}/i"; metadata:service http; reference:url,malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html; classtype:attempted-user; sid:36523; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE |28 5C|d+|5C|.|5C|d+|29 3B|"; distance:0; content:"navigator["; within:60; content:!"]"; within:10; metadata:service http; classtype:attempted-user; sid:36535; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hunter exploit kit landing page detected"; flow:to_client,established; file_data; content:"eval|28|O1O|28|OlI|28|_1OO|29 29 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2015/08/cve-2014-2419-internet-explorer-and.html; classtype:attempted-user; sid:36543; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt"; flow:to_server,established; content:"viewtopic.php?t="; http_uri; content:"&f="; within:13; http_uri; pcre:"/\/viewtopic\x2Ephp\x3Ft\x3D[^\x26]{2,7}\x26f\x3D[a-z0-9_\x2d\x2e]{12}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36637; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"index.php?PHPSESSID="; fast_pattern:only; http_uri; content:"&action="; http_uri; pcre:"/\x2findex\x2ephp\x3fPHPSESSID\x3d[^\x26]{2,5}\x26action\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36636; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit search uri request attempt"; flow:to_server,established; content:"/search.php?keyword"; fast_pattern:only; http_uri; content:"&fid0="; http_uri; pcre:"/\x2fsearch\x2ephp\x3fkeywords?\x3d[^\x26]{2,7}\x26fid0\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36635; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|ferrodo|27|"; content:"substr"; within:100; content:"|27|ge|27|"; within:200; content:"|27|tE|27|"; within:200; content:"|27|le|27|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36788; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|plumbum|27|"; content:"substr"; within:100; content:"|27|doReMi|27|"; within:250; content:"substr"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36785; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit browser version detection attempt"; flow:to_client,established; content:"|27|rHTML|27|]"; fast_pattern:only; content:"if((|2F|(MSIE"; content:"[0-7]"; within:10; content:"navigator.userAgent"; within:50; content:".slice"; within:40; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36802; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|sub|27|"; content:"|27|pro|27|"; within:50; content:"+ (|27|yo|27|)"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36801; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT GongDa landing page detected"; flow:to_client,established; file_data; content:"0xffffffff"; fast_pattern:only; content:"charCodeAt"; nocase; content:"length"; within:20; nocase; content:"fromCharCode"; within:200; nocase; content:"delta"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36798; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|22|g|22|"; content:"|22|ua|22|"; within:50; content:"|22|ge|22|"; within:50; content:"|22|j|22|"; within:50; content:"|22|av|22|"; within:100; content:"|22|a|22|"; within:100; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:36797; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|red|27|"; content:"substr"; within:100; content:"|27|c|27|"; within:150; content:"|27|um|27|"; within:50; content:"|22|char|22|"; within:150; content:"|27|ferrodo|27|"; within:150; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36796; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|mCh|27|"; content:"|27|fr|27|"; within:100; content:"|22|ev|22|"; within:200; content:"|27|fillip|27|"; within:150; content:"substr"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36790; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"|27|do|27|+|27|c|27|+|27|um|27|+|27|ent|27|"; fast_pattern:only; content:"|22|char|22|"; content:"ner"; within:200; content:"HT"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36808; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Known exploit kit obfuscation routine detected"; flow:to_client,established; content:"vbscript>"; content:"=Split("; within:40; content:"UBound("; within:40; content:"+Chrw(eval("; within:40; content:"End Function"; within:40; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-6332; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:36824; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"["; content:".substr ("; within:25; content:"].appendChild ("; within:60; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36899; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DoloMalo exploit kit packer detected"; flow:to_server,established; content:"?getsrc=ok&ref="; fast_pattern:only; http_uri; content:"&url="; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37016; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<input>"; content:"</input>"; content:"<nobr>"; fast_pattern:only; content:"</nobr>"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:37014; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<span style=|27| width|3A|"; content:"px"; within:3; distance:1; content:"|3B| height|3A|"; content:"px|3B 27 20 20|id=|27|"; within:11; distance:1; content:"|27 20 20 20|class=|27|text|27|"; distance:0; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:37207; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page detected"; flow:to_client,established; file_data; content:"String.fromCharCode(parseInt(("; fast_pattern:only; content:"var"; content:"|22 22|"; within:2; distance:9; metadata:service http; classtype:attempted-user; sid:37355; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DarkLeech iframe injection tool detected"; flow:to_client,established; file_data; content:"<style>."; nocase; content:" { position|3A| absolute|3B| top|3A| -"; within:50; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:37361; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit iframe injection attempt"; flow:to_client,established; file_data; content:"document.write"; content:"<iframe"; within:10; content:"16.html|22|"; within:70; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com; classtype:attempted-user; sid:37529; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt"; flow:to_server,established; content:".php?c_id="; http_uri; content:"&n_id"; within:5; distance:2; http_uri; content:"&token="; within:10; distance:2; http_uri; pcre:"/\x2ephp\x3fc_id\x3d\d{2}\x26n_id\x3d\d{2,4}\x26token\x3d[a-zA-Z0-9]{32}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com; classtype:attempted-user; sid:37528; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"yId|22|"; content:"|22|inner|22|"; within:100; content:"|22|TML|22|"; within:200; content:"|22|substr|22|"; within:100; content:"|22|index|22|"; within:100; content:"+|22|f|22|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37551; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"|22|I from the grandmother left, and left my grandfather.|22|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37550; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt"; flow:to_server,established; content:"/?id="; http_uri; content:"&keyword="; within:9; distance:7; http_uri; pcre:"/\x2f\x3fid=[0-9]{7}\x26keyword=[a-f0-9]+\x26[\w_]+\x3d/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37549; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Malicious iFrame redirection injection attempt"; flow:to_client,established; file_data; content:"|22 5D 5D 2E|join|28 5C 22 5C 22 29 3B 22 29 29 3B 2F 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37548; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"view.php?t="; http_uri; content:"&f="; within:13; http_uri; pcre:"/\/view\x2Ephp\x3Ft\x3D[^\x26]{2,7}\x26f\x3D[a-z0-9_\x2d\x2e]{12}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37873; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"/viewthread.php?f="; fast_pattern:only; http_uri; content:"&sid="; http_uri; pcre:"/\x2fviewthread\x2ephp\x3ff\x3d[^\x26]{2,7}\x26sid\x3D[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37872; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"/index.php?PHPSESSID="; fast_pattern:only; http_uri; content:"&mod="; http_uri; pcre:"/\x2findex\x2ephp\x3fPHPSESSID\x3d[^\x26]{2,5}\x26mod\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37871; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"/viewthread.php?thread_id="; fast_pattern:only; http_uri; content:"&tid="; http_uri; pcre:"/\x2fviewthread\x2ephp\x3fthread_id\x3d[^\x26]{2,7}\x26tid\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37958; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"/view.php?id="; fast_pattern:only; http_uri; content:"&course="; http_uri; pcre:"/\x2fview\x2ephp\x3fid?\x3d[^\x26]{2,7}\x26course\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37957; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong da exploit kit landing page"; flow:to_client,established; file_data; content:"/index.aspx?id="; fast_pattern:only; content:"expires=|22| +"; nocase; content:"toGMTString()"; within:50; nocase; content:"escape(document.referrer)"; within:500; nocase; content:"/sa.htm?id="; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37919; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit Internet Explorer exploit attempt"; flow:to_client,established; content:"|3C|html|3E 0D 0A 3C|body|3E 0D 0A 3C|div|20|id|3D 22|"; content:"|22 3E|"; within:10; pcre:"/^([0-9]{2,3}\x2A[0-9]{2,3}\x2A){5}/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:37918; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit search uri request attempt"; flow:to_server,established; content:"/search.php?keyword="; http_uri; content:"&type="; within:12; distance:2; http_uri; pcre:"/\x2fsearch\x2ephp\x3fkeyword\x3d[^\x26]{2,7}\x26type\x3d([a-z]{1,5}[0-9]{1,5}|[0-9]{1,5}[a-z]{1,5})/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38121; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit gate redirector"; flow:to_client,established; file_data; content:"charCodeAt"; nocase; content:"unescape"; within:200; nocase; content:"%256"; within:100; content:"|27|charCodeAt|27|"; within:300; nocase; content:"String"; within:100; nocase; content:"eval"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38133; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"view.php?forum_id="; fast_pattern:only; http_uri; content:"&id="; http_uri; pcre:"/\x2fview\x2Ephp\x3Fforum_id\x3D[^\x26]{2,7}\x26id\x3D[a-z0-9]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38163; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"viewthread.php?thad_id="; fast_pattern:only; http_uri; content:"&tid="; http_uri; pcre:"/\x2fviewthread\x2Ephp\x3Fthad_id\x3D[^\x26]{2,7}\x26tid\x3D[a-z0-9]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38162; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"/index.php?search="; http_uri; content:"&mod="; fast_pattern:only; http_uri; pcre:"/\x2findex\x2ephp\x3fsearch\x3d[^\x26]{2,5}\x26mod\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38161; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit gate detected"; flow:to_client,established; file_data; content:"position|3A|absolute|3B|left|3A|-1753px|3B|top|3A|0px|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38160; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Known malicious redirection attempt"; flow:to_server,established; content:"&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.malwarebytes.org/malvertising-2/2016/03/large-angler-malvertising-campaign-hits-top-publishers/; classtype:attempted-user; sid:38254; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection attempt"; flow:to_client,established; file_data; content:"opacity|3A|0|3B|filter|3A|alpha(opacity=0)|3B|"; fast_pattern:only; content:"-moz-opacity|3A|0|3B 22|>"; content:"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:38275; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit news uri structure"; flow:to_server,established; content:"/news/"; fast_pattern; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1; http_uri; pcre:"/^\/news\/([0-9]+\/){3}[0-9]{5,10}(\.html)?$/U"; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:38439; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit questions uri request attempt"; flow:to_server,established; content:"/questions/"; fast_pattern:only; http_uri; pcre:"/^\/questions\/[0-9]+\/([a-zA-Z]+-){3,6}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38438; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound uri structure"; flow:to_server,established; content:"/music/song/"; depth:12; http_uri; content:"_"; http_uri; pcre:"/^\x2fmusic\x2fsong\x2f[0-9]+_[a-zA-Z]{5,20}(\x2easpx)?$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38437; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"autotest= |22|retina|22|"; fast_pattern; content:"id = |22|e8a-48-"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38524; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"id = |22|PLgxk1z"; fast_pattern; content:"fontbackold=|22|red|22|"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38523; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"=|22|120|22| autotest= |22|retina|22| id = |22|"; fast_pattern:only; pcre:"/=\x22120\x22\x20autotest=\x20\x22retina\x22\x20id\x20=\x20\x22[a-zA-z0-9]{3}-[a-zA-z0-9]{2,3}-[a-zA-z0-9]{5,20}\x22/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38522; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit redirect page detected"; flow:to_client,established; file_data; content:"</q>"; content:"</small>"; content:"</big>"; content:"</hl>"; content:"</em>"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38521; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; content:"<meta name=|22|keywords|22| content=|22|HTML, CSS, XML, XHTML, JavaScript|22|>"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38556; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"|2F|*By creating and uploading Web pages to the Internet*|2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38555; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; content:"|29 3B|eval|28|eval|28 27|"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38553; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"function|28 29 7B|var "; content:"=|22|"; within:20; distance:8; pcre:"/function.*?\x3D\x22[a-f0-9]{200}/smi"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38552; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt"; flow:to_client,established; content:"Content-Type|3A| application/octet-stream"; http_header; file_data; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; depth:47; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2016/04/nuclear-exposed.html; classtype:trojan-activity; sid:38593; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt"; flow:to_server,established; content:"/test.x.test"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2016/04/nuclear-exposed.html; classtype:trojan-activity; sid:38592; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT vbscript downloading executable attempt"; flow:to_client,established; file_data; content:"createObject"; content:"Microsoft.XMLHTTP"; within:200; content:"Get.SaveToFile"; fast_pattern; content:".exe"; within:150; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38589; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"|22|push|22|"; content:"String"; within:150; content:"|22|fromCharCode|22|"; within:100; content:"|2F 5C|s|7C 5C 2E 2F|g"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38582; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"height="; distance:0; content:"id="; within:10; content:"width="; content:"codebase="; within:20; fast_pattern; content:"classid"; content:"movie"; distance:0; content:"value"; within:10; content:"allowScriptAccess"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38730; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler Exploit Kit email gate"; flow:to_server,established; content:"/order/order_details.html?"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38682; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Obfuscated exploit download attempt"; flow:to_client,established; file_data; content:"56,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:38876; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"height="; distance:0; content:"codebase"; within:20; fast_pattern; content:"id="; distance:0; content:"width="; within:20; content:"classid"; content:"movie"; distance:0; content:"value"; within:10; content:"always"; distance:0; content:"allowScriptAccess"; within:25; metadata:policy max-detect-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/05/25/index.html; classtype:trojan-activity; sid:39081; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Obfuscated exploit download attempt"; flow:to_client,established; file_data; content:"87,115,99,114,105,112,116,37,50,69,83,104,101,108,108"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:39130; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear gate redirect attempt"; flow:to_client,established; content:"Cache-Control|3A| no-store, no-cache, must-revalidate"; fast_pattern:only; http_header; file_data; content:"top.location.replace"; content:"top.location.href"; within:50; pcre:"/top\x2elocation\x2ereplace\s*\x28\s*(?<var>\w+)\s*\x29.*?top.location.href\s*\x3d\s*(?P=var)/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:39129; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"yesterday weve been pushing the car"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:39128; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|00 18 01 00 44 11 19 00 00 00 41 13 00|"; content:!"|5A 0A|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:39241; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|00 18 01 00 44 11 19 00 00 00 41 13 00|"; content:!"|5A 0A|"; within:200; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:39240; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt"; flow:to_client,established; file_data; content:"<span"; depth:70; content:"style|3D 22|display|3A|none|22|"; within:200; isdataat:1000,relative; content:!"</span>"; within:1000; content:"</span>"; distance:0; content:"<script>"; within:10; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:39677; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror exploit kit landing page detected"; flow:to_client,established; file_data; content:"<meta"; nocase; content:"http-equiv=|22|X-UA-Compatible|22|"; within:35; nocase; content:"content="; within:15; nocase; content:"EmulateIE"; within:20; fast_pattern; nocase; content:"<script"; nocase; content:"VBScript"; within:20; nocase; metadata:policy max-detect-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/06/15/index.html; classtype:attempted-user; sid:39754; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"codebase="; distance:0; content:"height="; within:200; content:"width="; within:150; content:"id="; within:25; content:"movie"; within:100; content:"value"; within:40; content:"<embed"; content:"allowScriptAccess"; within:50; fast_pattern; content:"sameDomain"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39802; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit kit embedded iframe redirection attempt"; flow:to_client,established; file_data; content:"iframe"; fast_pattern; content:"style"; within:150; content:"position"; within:15; content:"absolute"; within:15; content:"width"; content:"height"; pcre:"/position\x3aabsolute\x3b\s*((top|left)\x3a-\d{4}px\x3b){1,2}\s*(width|height)\x3a\d{3}px\x3b\s*(height|width)\x3a\d{3}px\x3b/"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:40034; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt"; flow:to_server,established; content:"/geoip.php?bdr="; fast_pattern:only; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-application-activity; sid:40184; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown exploit kit landing page detected"; flow:to_client,established; content:"X-Powered-By|3A 20|Yugoslavian Business Network"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/06/15/index.html; classtype:attempted-user; sid:40233; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>150,norm; content:"/?"; depth:2; http_uri; content:"es_sm="; fast_pattern:only; content:"&sourceid="; http_uri; content:"aqs="; http_uri; flowbits:set,file.exploit_kit.flash; content:"&ie="; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40753; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sundown Exploit Kit redirection attempt"; flow:established,to_server; content:"/noone.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41035; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"<script "; nocase; content:"VBScript"; within:50; fast_pattern; nocase; content:"Execute"; within:200; nocase; content:"chr"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41092; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"|22|script|22|"; nocase; content:"|22|createE|22|"; within:50; nocase; content:"|22|lement|22|"; within:20; nocase; content:"|22|type|22|"; within:50; nocase; content:"|22|text/j|22|"; within:50; nocase; content:"|22|avascript|22|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41084; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig exploit kit landing page detected"; flow:established,to_client; file_data; content:"<iframe"; nocase; content:"onload"; within:20; nocase; content:"window.setTimeout"; within:100; nocase; content:"style"; within:100; nocase; content:"visibility:hidden"; within:30; nocase; content:"<script"; nocase; content:"http://"; within:30; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:41314; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit URL outbound communication"; flow:established,to_server; urilen:>140,norm; content:"/?"; depth:2; http_uri; content:"qtuif="; fast_pattern:only; content:"oq="; nocase; content:"q="; nocase; content:"ct="; nocase; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41783; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit kit Pseudo-Darkleech Gate redirection attempt"; flow:to_client,established; file_data; content:"<span"; fast_pattern; content:"style"; within:150; content:"position"; within:15; content:"absolute"; within:15; content:"width"; content:"height"; pcre:"/position\x3aabsolute\x3b\s*((top|left)\x3a-\d{4}px\x3b){1,2}\s*(width|height)\x3a\d{3}px\x3b\s*(height|width)\x3a\d{3}px\x3b/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:41908; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit Kit EITest Gate redirection attempt detected"; flow:established,to_client; file_data; content:"<script"; nocase; content:"type"; within:20; nocase; content:"text/javascript"; within:35; nocase; content:"iframe"; within:50; nocase; content:"|22|0px"; within:200; nocase; content:"setAttribute"; nocase; content:"frameborder"; within:30; nocase; content:"|22|0"; within:10; nocase; content:"http://"; within:200; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:42018; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blacole inbound malformed pdf download attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%%EOF"; isdataat:500,relative; content:"iframe"; within:1000; nocase; content:"1px"; within:200; nocase; content:"getElementbyId"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/602F2B47BF63A0776673378FE95B9C025C93A3959C503D0DB3D7B82E7B7C5823/analysis/; reference:url,virustotal.com/en/file/C22015F1132AC29EDAC89D219988595257E5F92EB4C34A2284D499154176224F/analysis/; classtype:trojan-activity; sid:42397; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blacole inbound malformed pdf download attempt"; flow:to_client; flowbits:isset,file.pdf; file_data; content:"%%EOF"; isdataat:500,relative; content:"iframe"; within:1000; nocase; content:"1px"; within:200; nocase; content:"getElementbyId"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/602F2B47BF63A0776673378FE95B9C025C93A3959C503D0DB3D7B82E7B7C5823/analysis/; reference:url,virustotal.com/en/file/C22015F1132AC29EDAC89D219988595257E5F92EB4C34A2284D499154176224F/analysis/; classtype:trojan-activity; sid:42396; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit URL outbound communication"; flow:to_server,established; urilen:140<>250,norm; content:"/?"; depth:2; http_uri; content:"ct="; http_uri; content:"oq="; fast_pattern:only; http_uri; content:"q="; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:42806; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig/Grandsoft Exploit Kit IE exploit attempt"; flow:to_client,established; file_data; content:"<meta"; content:"http-equiv"; within:15; content:"X-UA-Compatible"; within:30; content:"IE=10"; within:40; content:"<meta"; within:20; content:"charset"; within:20; content:"UTF-8"; within:20; content:"<script"; within:50; metadata:policy max-detect-ips drop, service http; classtype:attempted-admin; sid:43729; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Landing Page Request Attempt"; flow:to_server,established; urilen:>180; content:"/?"; depth:2; http_uri; content:"&"; within:5; distance:3; http_uri; content:"x"; distance:0; http_uri; content:"Q"; distance:0; http_uri; content:"R"; within:1; distance:5; http_uri; pcre:"/\/\?[A-Za-z]{3,7}&.*x[HX3].+Q[cdM].{3}[ab]R/U"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43332; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit redirection attempt"; flow:to_client,established; file_data; content:"<html"; depth:5; content:"<meta"; within:50; content:"http-equiv"; within:20; content:"REFRESH"; within:20; content:"URL="; within:50; content:"http://"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:43217; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit URL outbound communication"; flow:to_server,established; urilen:>140,norm; content:"/tr?"; depth:4; http_uri; content:"id="; http_uri; content:"confirm="; http_uri; content:"size="; http_uri; content:"noframe="; http_uri; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43187; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT RIG exploit kit Adobe Flash exploit download"; flow:to_client,established; file_data; content:"|16|FilePrivateNS:mersedes"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:43835; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit Kit malicious redirection attempt"; flow:to_client,established; file_data; content:"<script"; content:"type"; within:20; content:"javascript"; within:30; content:"ActiveXObject"; within:100; content:"Shockwave"; within:200; content:"Flash"; within:30; content:"document.write"; within:200; content:"<iframe"; within:30; content:"src='http"; within:50; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43885; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode"; flow:to_client,established; file_data; content:"FlashVars"; content:"8B5E04311EC10E0183EEFCE2F3"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43932; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT RIG exploit kit shellcode detected"; flow:to_client,established; file_data; content:"unescape|28|"; content:"498034088485C975F7FFE0E8"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43931; rev:1;) # alert tcp $EXTERNAL_NET [$HTTP_PORTS,1986,38,6780,9812] -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected"; flow:to_client,established; file_data; content:"<meta"; nocase; content:"http-equiv="; within:20; content:"|22|X-UA-Compatible"; within:40; nocase; content:"content="; within:15; nocase; content:"IE="; within:20; nocase; content:"<script"; within:250; nocase; content:"VBScript"; within:30; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:44738; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror malicious flash file load attempt"; flow:to_client,established; file_data; content:"<div"; content:"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"; within:100; content:"allowscriptaccess"; within:40; content:"always"; within:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45080; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"dW5rbm93bg=="; content:"ZGVub21pbmF0aW9ucw=="; content:"bG9jYXRlZA=="; content:"Y2FwaXRhbA=="; content:"bWlzc2luZw=="; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45455; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"bWlzc2luZw=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45532; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"Y2FwaXRhbA=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45531; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"bG9jYXRlZA=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45530; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"ZGVub21pbmF0aW9ucw=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45529; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"dW5rbm93bg=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45528; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"YXR0YWNrcw=="; content:"bWlzc2luZw=="; content:"c3Rvcm1lZA=="; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45527; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK page access attempt"; flow:to_client,established; file_data; content:"XiaoBa"; content:"|E8 BD AF E4 BB B6 E4 B8 8B E8 BD BD E7 AB 99|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45925; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK dll download attempt"; flow:to_client,established; file_data; content:"Server"; nocase; content:"HFS 2"; within:20; fast_pattern; nocase; content:"HFS_SID_"; content:"filename"; content:".dll"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:45923; rev:1;) alert tcp $EXTERNAL_NET [$HTTP_PORTS,384] -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK exe download attempt"; flow:to_client,established; file_data; content:"Server"; nocase; content:"HFS 2"; within:20; fast_pattern; nocase; content:"HFS_SID_"; content:"filename"; content:".exe"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:45922; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Terror EK resource access attempt"; flow:to_server,established; file_data; content:"GET "; nocase; content:"/"; within:1; content:"/"; within:1; distance:2; content:"/"; within:1; distance:2; content:".css"; within:4; distance:36; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45921; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror EK landing page attempt"; flow:to_client,established; file_data; content:"Set-Cookie"; content:"streams"; within:50; content:"campaigns"; within:50; content:"time"; within:50; content:"30"; within:2; http_stat_code; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45919; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT FakeFlash update attempt"; flow:to_server,established; content:"Referer: http://ssiapawz.com/watch?"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:46662; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected"; flow:to_client,established; file_data; content:"X-UA-Compatible"; nocase; content:"EmulateIE8"; fast_pattern:only; content:"VBScript"; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:47034; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Qadars exploit kit attempt"; flow:to_server,established; content:".php"; http_uri; content:"=die(md5(Ch3ck1ng))"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:48440; rev:1;)