alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,; reference:url,; classtype:trojan-activity; sid:2015657; rev:2;)

Added 2013-04-29 13:26:51 UTC

I realize this is only a possible Metasploit java payload signature, but I figured I would submit my findings on a particular false positive that may be common. We have seen False Positives on the following Jar file from Cisco utilizing org/bouncycastle/crypto/agreement/jpake/JPAKERound1Payload.class


-- DanielDuBose - 2015-01-16

Topic revision: r2 - 2015-01-16 - DanielDuBose
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats