#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit? Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:trojan-activity; sid:2014748; rev:4; metadata:created_at 2012_05_14, updated_at 2012_05_14;)

Added 2017-08-07 21:08:10 UTC


##alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit? Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:trojan-activity; sid:2014748; rev:4;)

Added 2014-09-10 17:09:11 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit? Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:trojan-activity; sid:2014748; rev:2;)

Added 2012-05-15 20:37:57 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit? Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:trojan-activity; sid:2014748; rev:1;)

Added 2012-05-14 15:47:55 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats