#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Excessive Use of HeapLib? Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:4;)

Added 2016-08-29 17:33:21 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib? Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:1;)

Added 2011-10-12 19:36:23 UTC

Seems to hit a lot on visits to http://nouveaucheap.blogspot.com/ Specifically this URL: "http://widget3.linkwithin.com/show_widget?site_id=14976&url=http://nouveaucheap.blogspot.com/&callback=LW.sw&widget_id=1&permalink=http"

It seems like this will hit on any URL in content that has <content>heap.<content>. dungheap.com, etc.

-- AndrewBeard - 2014-05-20

Agreed. False Positive observed for an alert today on the string “heap” in “cheap” in the following URL snippet:

[. . .]width=600&cp.height=337&cp.pageurl=http://video.b1.org&cp.media=/media/2175.mp4&cp.title=Nissan GTR Short Promo&cp.duration=1:49&cp.description=This vehicle is not very cheap. It costs 182.500 USD, [. . .]

-- AmandaDeason - 2016-07-20


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib? Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:1;)

Added 2011-07-06 18:04:48 UTC


Topic revision: r3 - 2016-07-20 - AmandaDeason
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats