#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO?/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:6;)

Added 2013-04-29 13:26:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO?/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:4;)

Added 2012-11-13 01:25:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO?/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/509"; http_uri; depth:4; pcre:"/^\/509[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:3;)

Added 2012-11-02 19:03:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO?/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/508"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:1;)

Added 2012-10-26 17:55:31 UTC


Topic revision: r1 - 2013-04-29 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats