-
Notifications
You must be signed in to change notification settings - Fork 57
/
exploit-kit.rules
631 lines (630 loc) · 319 KB
/
exploit-kit.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
# Copyright 2001-2015 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------------
# EXPLOIT-KIT RULES
#-------------------
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; urilen:>60,norm; content:"GET"; content:". HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; flowbits:noalert; metadata:ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jnlp request"; flow:to_server,established; urilen:18; content:".jnlp"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9]{12}\.jnlp$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26964; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jar request"; flow:to_server,established; urilen:14; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-f0-9]{9}\.jar$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26963; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit portable executable download"; flow:to_client,established; file_data; content:"|4F CF 6A BC A1 03 01 00 69|"; depth:9; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26962; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit landing page"; flow:to_client,established; file_data; content:"<iframe style="; content:"z-index|3A| -1"; within:11; distance:1; content:"scrolling="; content:"no"; within:2; distance:1; content:"src="; within:4; distance:2; content:"http|3A 2F 2F|"; within:7; distance:1; content:"mt"; within:50; distance:10; content:" id="; within:4; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26960; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 4"; flow:to_server,established; content:".php?exp=rhino&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26959; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 3"; flow:to_server,established; content:".php?exp=atom&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 2"; flow:to_server,established; content:".php?exp=lib&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26957; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 1"; flow:to_server,established; content:".php?exp=byte&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26956; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request"; flow:to_server,established; content:"/.cache/?f="; fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=s"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:26950; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0"; within:1; distance:1; content:" height="; within:8; distance:1; content:"0"; within:1; distance:1; content:" code="; within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase; content:" archive="; within:9; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=site.jar"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit malware download"; flow:to_server,established; content:"/load.php?e="; http_uri; content:"&ip="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26897; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Plugin detection response"; flow:to_server,established; content:"/gate.php?ver="; http_uri; content:"&p="; distance:0; http_uri; content:"&j="; distance:0; http_uri; content:"&f="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26896; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Java V7 exploit download"; flow:to_server,established; content:"/j07.php?i="; fast_pattern:only; http_uri; content:" Java/1.7"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26895; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Java V6 exploit download"; flow:to_server,established; content:"/j161.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26894; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit landing page"; flow:to_client,established; file_data; content:"<script src="; content:"js/js.js"; distance:1; content:"AdobeReader"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26893; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26838; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26814; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Redkit exploit kit short jar request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; content:"content-type|3A| application/x-java-archive"; http_header; pcre:"/^\/[a-z0-9]{1,4}\.jar$/U"; content:!"cbssports.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; content:".jnlp"; fast_pattern:only; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|"; depth:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:"<applet><param name=|22|jnlp_href|22| value=|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/; classtype:trojan-activity; sid:26653; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT unknown exploit kit script injection attempt"; flow:to_client,established; file_data; content:"|22|+escape|28|"; depth:100; content:".charCodeAt|28|"; distance:0; content:"</script>id="; within:64; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit successful redirection - jnlp bypass"; flow:to_server,established; content:"php?jnlp="; fast_pattern:only; http_uri; pcre:"/php\?jnlp\=[a-f0-9]{10}($|\x2c)/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26541; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"try{document.body-=12|3B|}catch(dv32r3)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26540; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit pdf download detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<< /CreationDate (D|3A|20130404171020)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26539; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit landing page received"; flow:to_client,established; file_data; content:"<html><body></body><input id=|27|"; content:"|27| value=|27 25|"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26538; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit jar download detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main.class"; content:"NOnoa.class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26537; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; within:30; distance:5; content:" code="; within:30; content:".class"; within:30; distance:5; content:" width="; within:30; content:" height="; within:25; content:"<param"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26536; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value="; distance:0; content:"PD"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26535; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit portable executable download"; flow:to_server,established; content:"/elections.php?"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt"; flow:to_server,established; content:"/info/last/index.php"; fast_pattern:only; http_uri; pcre:"/^Host:\s*?[a-f0-9]{63,64}\./Him"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26527; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"|2F 2A 14 20|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit redirection structure"; flow:to_client,established; file_data; content:"<iframe id="; content:"frmstyle"; within:8; distance:1; content:" src="; within:5; distance:1; content:"http|3A 2F 2F|"; within:7; distance:1; content:" height="; within:250; content:"frameborder=0></iframe>"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26511; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bottom.class"; content:"Bottom10.class"; distance:0; content:"Bottom11.class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26509; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26508; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit jar file downloaded"; flow:to_client,established; file_data; content:"Suburb.class"; content:"Suburb013.class"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26434; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?j="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?j\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26384; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?i="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?i\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26383; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; urilen:8; content:".jar"; http_uri; content:" Java/1"; http_header; content:"content-type|3A| application/x-java-archive"; fast_pattern:20,20; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"=new Array|3B|EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26368; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Egypack exploit kit outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Egypack/1."; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26367; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"<script language=|22|JavaScript|22|>var EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26366; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; distance:0; content:" code="; within:6; distance:1; content:"Java.class"; within:10; distance:1; content:">"; within:1; distance:1; content:"<param name="; distance:0; content:"name"; within:4; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26351; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT TDS redirection - may lead to exploit kit"; flow:to_server,established; content:"/count"; http_uri; content:".php"; within:4; distance:2; http_uri; pcre:"/\/count\d{2}\.php$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26350; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit obfuscated portable executable"; flow:to_client,established; content:"filename=setup.exe"; fast_pattern:only; http_header; file_data; content:"|8B 7F AA 11 CE 52 0A 3D 76|"; depth:9; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26349; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit java exploit delivery"; flow:to_client,established; file_data; content:"Application.class"; content:"Fazan.class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26348; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload requested"; flow:to_server,established; urilen:8; content:".html"; http_uri; content:" Java/1"; fast_pattern; http_header; pcre:"/\/\d{2}\.html$/U"; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26346; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?h="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?h\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26345; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; distance:0; content:" code="; within:6; distance:1; content:"Application.class"; within:17; distance:1; content:">"; within:1; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26344; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"id="; content:"swf_id"; within:6; distance:1; content:"<param name="; distance:0; content:"Play"; within:4; distance:1; content:" value="; within:7; distance:1; content:"0"; within:1; distance:1; content:"><embed src="; distance:1; content:"http|3A 2F 2F|"; within:8; distance:1; content:".swf"; pcre:"/[a-z0-9]{32}\.(?:jar|swf)/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26343; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<div class="; content:"retwretrewt"; within:11; distance:1; content:">|3A|)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26342; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"<applet name="; content:" code="; within:100; content:" archive="; within:100; content:"http|3A 2F 2F|"; within:50; content:".jar"; distance:0; content:" codebase="; distance:0; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26341; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval - ff.php"; flow:to_server,established; urilen:>16; content:"/ff.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/ff\.php/U"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26339; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr injection detection - leads to exploit kit"; flow:to_client,established; file_data; content:"}catch(gdsg"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26338; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"prototype|3B|}catch("; content:".substr"; within:50; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26337; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit redirection page"; flow:to_client,established; file_data; content:"<frame marginwidth=0 marginheight=0 frameborder=0 name=|22|TOPFRAME|22|"; fast_pattern:only; content:"index.php?id="; content:"noresize>"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:26323; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit redirection page"; flow:to_client,established; file_data; content:"var"; content:"=|22|pdf|22|"; within:25; content:"location.href="; within:250; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26297; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|"; within:50; content:"|22| name=|22|"; within:50; content:"<param name=|22|"; within:20; distance:5; content:"|22| value=|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26296; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"EXPLOIT-KIT Sakura exploit kit exploit request"; flow:to_server,established; content:"/news/thing.php"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26293; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<object classid=|22|clsid|3A|8AD9C840-044E-11D1-B3E9-00805F499D93|22| codebase=|22|"; fast_pattern:only; content:"<param NAME=|22|ARCHIVE|22| VALUE=|22|"; metadata:service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26253; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code=|22|"; content:".class|22| archive=|22|"; distance:0; content:".jar|22| width=|22|1|22| height=|22|1|22|><param name=|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2010-0188; reference:cve,2012-1723; reference:cve,2012-5076; reference:cve,2013-0422; classtype:trojan-activity; sid:26252; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|"; within:25; content:".class|22|"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26233; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<script>p=parseInt|3B|ss=String|3B|asgq="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26232; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/q\.php/U"; content:!"siteadvisor.com"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26227; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"navigator.javaEnabled()"; content:"document.write(|27|"; within:100; content:"<script src=|22|"; distance:0; pcre:"/\.js\/\?[a-z]+\=[a-z]{1,4}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26226; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"<applet archive=|27|http|3A 2F 2F|"; content:"|27| code=|27|JHelper|27| width=|27|"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26100; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"if (navigator.appName == |27|Microsoft Internet Explorer|27|) {"; content:"document.write(|27|<applet archive=|22|http|3A|//"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26099; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"try{}catch("; content:"}try{"; within:50; content:"}catch("; within:50; content:"|3B|n=|5B|"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26096; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"|3D 5B|0x9,0x9,0x2f,0x2a,0x2a,0xa,0x9,0x9,0x20,0x2a,0x20,"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26095; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:".class|22| width=|22|10|22| height=|22|9|22|>|0D 0A|<param value=|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26094; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22 20|code=|22|"; within:25; content:"|22 20|name=|22|"; within:25; content:"|22|>|0D 0A|<param name=|22|"; within:25; content:"|22 20|value=|22|http|3A 2F 2F|"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:26090; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - setup"; flow:to_server,established; content:".php?setup=d&s="; fast_pattern:only; http_uri; pcre:"/\.php\?setup=d\&s=\d+\&r=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26045; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - redirection attempt"; flow:to_server,established; content:".php?action=jv&h="; fast_pattern:only; http_uri; pcre:"/\.php\?action=jv\&h=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26044; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/Instal.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26043; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - stats loaded"; flow:to_server,established; content:".php?action=stats_loaded"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26042; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/x4.gif"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26041; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/Plugin.cpl"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26040; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; content:"/jmx.jar?r="; fast_pattern:only; http_uri; pcre:"/^\/jmx.jar?r=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26039; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; content:"/jhan.jar?r="; fast_pattern:only; http_uri; pcre:"/^\/jhan.jar?r=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26038; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java Exploit"; flow:to_server,established; content:"/amor"; fast_pattern; http_uri; content:".jar"; within:6; http_uri; content:" Java/"; http_header; pcre:"/^\/amor\d{0,2}\.jar/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - java on"; flow:to_server,established; content:".php?action=stats_javaon"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26035; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - stats access"; flow:to_server,established; content:".php?action=stats_access"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26034; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit iframe redirection attempt"; flow:to_client,established; file_data; content:"try{"; content:"++}catch("; within:15; content:"{try{"; within:20; content:"}catch("; within:20; content:"=|22|"; within:50; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26033; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<head><title></title></head><body><object WIDTH=|22|"; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26031; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit redirection page received"; flow:to_client,established; file_data; content:"+=|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22 3B|}catch(e){var"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:26013; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"/332.jar|22| code=|22|"; content:"/887.jar|22| code=|22|"; distance:0; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25989; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><td><h1>Loading... Please Wait.</h1></td><script>document.write("; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25988; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit three number PDF Request"; flow:to_server,established; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25972; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit malicious payload retrieval"; flow:to_server,established; content:"/i8.php?jquery="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25824; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V5 exploit download"; flow:to_server,established; content:"/j15.php?i="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25823; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit malicious PDF retrieval"; flow:to_server,established; content:"/p5.php?t="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25822; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit possible plugin detection attempt"; flow:to_server,established; content:"/js/rdps.js"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25821; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure"; flow:to_client,established; file_data; content:"<title>Please Wait...</title></head><body><script>function"; fast_pattern:only; content:"<html><head>"; depth:12; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:25808; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Whitehole exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code"; content:".jar?java="; distance:0; content:"width="; within:15; content:"<param name="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25806; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval"; flow:to_server,established; content:"/Java"; http_uri; content:".jar?java="; http_uri; pcre:"/\/Java([0-9]{1,2})?\.jar\?java=[0-9]{2}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25805; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit malicious jar download attempt"; flow:to_server,established; content:"?java="; fast_pattern:only; http_uri; pcre:"/\?java\=[0-9]{2,6}$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file dropped"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"BurkinoGoso.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25803; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit encoded portable executable request"; flow:to_server,established; urilen:>40; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[0-9]{7,10}$/U"; metadata:service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25802; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar file request"; flow:to_server,established; urilen:>40; content:".jar"; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25801; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit Javascript request"; flow:to_server,established; urilen:>40; content:"/Qm"; http_uri; content:".js"; distance:0; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/Qm[a-zA-Z0-9]+\/[a-z]+\.js$/U"; metadata:service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25800; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit pdf request"; flow:to_server,established; urilen:>40; content:".pdf"; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25799; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit 32-alpha jar request"; flow:to_server,established; flowbits:isset,java_user_agent; urilen:>36; content:"GET"; http_method; content:".jar"; nocase; http_uri; content:" Java/1"; http_header; pcre:"/\/[a-zA-Z0-9]{32}\.jar/U"; flowbits:set,file.exploit_kit.jar; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25798; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/news.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25611; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<script>try"; content:"}catch("; within:50; content:"}try{if("; within:50; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25591; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>"; fast_pattern:only; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25590; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<PARAM VALUE=|22|"; content:"|22| NAME=|22|CODE|22|><PARAM NAME=|22|ARCHIVE|22| VALUE=|22|"; within:50; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25569; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/q\.php/U"; content:!"siteadvisor.com"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT JDB exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width=|27|0px|27| height=|27|0px|27| code=|22|"; content:"|22| archive=|22|data"; within:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25561; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT JDB exploit kit landing page"; flow:to_client,established; file_data; content:"setTimeout(|22|alert(|27|Adobe Flash must be updated to view this, please install the latest version!|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25560; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT JDB exploit kit landing page retrieval"; flow:to_server,established; urilen:>33; content:"/jdb/inf.php?id="; fast_pattern:only; http_uri; pcre:"/\/jdb\/inf\.php\?id=[a-f0-9]{32}$/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25559; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection"; flow:to_client,established; file_data; content:"{ var"; content:"= document.createElement(|27|iframe|27|)|3B|"; content:".src = |27|http|3A 2F 2F|"; content:"|27 3B| "; distance:0; content:".style.position = |27|absolute|27 3B|"; distance:0; content:".style.border = |27|0|27 3B| "; distance:0; content:".style.height = |27|1px|27 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:25558; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Red Dot executable retrieval attempt"; flow:to_server,established; content:"/load.php?guid="; nocase; http_uri; content:"&thread="; distance:0; nocase; http_uri; content:"&exploit="; distance:0; nocase; http_uri; content:"&version="; within:9; distance:1; nocase; http_uri; content:"&rnd="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25540; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Red Dot java retrieval attempt"; flow:to_server,established; urilen:6; content:"/"; http_uri; content:".jar"; within:4; distance:1; http_uri; pcre:"/\/\[fx]\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25539; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Red Dot landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|"; within:12; distance:1; content:"width=|22|100|22| height=|22|100|22|>"; within:50; content:"<param name|22|guid"; content:"|22| value=|22|"; within:10; content:"<param name=|22|thread"; content:"|22| value=|22|"; within:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25538; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|22 2A|"; depth:2; content:"s"; within:1; distance:2; content:"|27|"; within:1; distance:3; metadata:policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html; classtype:trojan-activity; sid:25391; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h1>Open your server</h1>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25390; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|"; within:15; distance:5; content:".class|22| width=|22|"; within:30; distance:5; content:"|22| height=|22|"; within:25; content:"<param"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25389; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/public_version.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25388; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - readme.exe"; flow:to_client,established; content:"filename="; http_header; content:"readme.exe"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25387; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - about.exe"; flow:to_client,established; content:"filename="; http_header; content:"about.exe"; within:10; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25386; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - calc.exe"; flow:to_client,established; content:"filename="; http_header; content:"calc.exe"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25385; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.exe"; flow:to_client,established; content:"filename="; http_header; content:"contacts.exe"; within:13; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25384; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.exe"; flow:to_client,established; content:"filename="; http_header; content:"info.exe"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25383; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit malicious jar archive download"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"hw.classPK"; fast_pattern:only; content:"test.classPK"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25302; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirect to malicious java archive attempt"; flow:to_client,established; file_data; content:"|3C|applet archive|3D 22 2F|read|2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25301; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe name="; content:"=auto frameborder=no align=center height=2 width=2 src=http|3A|//"; within:75; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25255; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit portable executable download request"; flow:to_server,established; content:" Java/"; http_header; content:"&h=11"; fast_pattern:only; http_uri; pcre:"/\&h=11$/U"; flowbits:set,file.pe.styx; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25140; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:75<>98; content:".eot"; fast_pattern:only; http_uri; pcre:"/\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.eot$/U"; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25139; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit pdf outbound connection"; flow:to_server,established; urilen:75<>98; content:".pdf"; fast_pattern:only; http_uri; pcre:"/\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.pdf$/U"; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25138; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>150; content:".jar"; fast_pattern:only; http_uri; content:!"Cookie"; nocase; http_header; pcre:"/\/[a-zA-Z0-9]{4,10}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25137; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection"; flow:to_server,established; urilen:>100; content:"/pdfx.html"; fast_pattern:only; http_uri; pcre:"/\/pdfx\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25136; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit outbound class retrieval"; flow:to_server,established; content:"Runs.class"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25053; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit requested - 3 digit"; flow:to_server,established; urilen:8; content:".jar"; http_uri; pcre:"/\x2f\d{3}\.jar/U"; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25052; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:".jar|22| code=|22|Runs.class|22|><param "; fast_pattern:only; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25051; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit PDF Library exploit download"; flow:to_server,established; content:"/lpdf.php?i="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25048; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V7 exploit download"; flow:to_server,established; content:"/j17.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25047; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V6 exploit download"; flow:to_server,established; content:"/j16.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25046; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Collocation"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:25044; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit url structure detected"; flow:to_server,established; content:".php?"; http_uri; content:"|3A|"; within:7; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"&"; distance:0; pcre:"/\.php\?[a-z]{2,8}=[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\&[a-z]{2,8}=/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25043; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit"; flow:to_client,established; flowbits:isset,java_user_agent; content:!"FTB_Launcher.exe"; nocase; http_header; content:"filename="; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cve-2012-5076-massively-adopted.html; classtype:trojan-activity; sid:25042; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Java User-Agent flowbit set"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:"Java/1."; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; flowbits:set,java_user_agent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25041; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound connection"; flow:to_server,established; content:"/build/agrde/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24979; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound payload request"; flow:to_server,established; content:".php?j=1&k="; fast_pattern:only; http_uri; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24978; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound connection attempt"; flow:to_server,established; content:"/build2/serge/opafv.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,urlquery.net/search.php?q=build2%2Fserge&type=string&start=2012-11-22&end=2012-12-07&max=50; reference:url,www.malwaredomainlist.com/mdl.php?search=build2%2Fserge&colsearch=Domain&quantity=50&inactive=on; classtype:trojan-activity; sid:24977; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"{if(typeof"; content:"))|3B|}}return this|3B|}"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:24888; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24865; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24864; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24863; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24862; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>"; within:11; metadata:service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24861; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>"; within:11; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24860; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit outbound JAR download attempt"; flow:to_server,established; content:"?s="; http_uri; content:"&m="; within:3; distance:1; http_uri; pcre:"/^\x2f[A-Za-z0-9]{33}\?s=\d\&m=\d$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:24841; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - JAR redirection"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|"; within:12; distance:6; content:"|22| width|3D 22|"; within:12; distance:9; content:"|22| height|3D 22|"; within:12; content:"|0D 0A|<param"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24840; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Blob"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24839; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/org.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:24797; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/net.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:24796; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/edu.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:24795; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/com.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:24794; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit Java Class download"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"GondadGondadExp.class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; reference:url,urlquery.net/report.php?id=222114; classtype:trojan-activity; sid:24793; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit Portable Executable download"; flow:to_client,established; content:" filename="; http_header; content:".exe|0D 0A|"; distance:0; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24791; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Portable Executable request"; flow:to_server,established; content:"load.php?e=u"; http_uri; content:"&token="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24790; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit PDF Exploit download attempt"; flow:to_client,established; content:"application/pdf"; http_header; content:"Content-Disposition|3A| inline|3B| filename=p50"; http_header; content:".pdf|0D 0A|"; distance:0; http_header; pcre:"/filename=p50[a-z0-9]{9}[0-9]{12}\.pdf/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24789; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit PDF Exploit request structure"; flow:to_server,established; content:"p3.php?t=u"; http_uri; content:"&oh="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24788; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit download"; flow:to_client,established; content:" filename="; http_header; content:".jar|0D 0A|"; distance:0; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24787; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"j.php?t=u"; http_uri; content:"content-type"; http_header; content:"x-java-archive|0D 0A|"; distance:0; http_header; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24786; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit possible redirection attempt"; flow:to_server,established; content:"/i.php?token="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24785; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24670; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24669; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24668; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24667; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/column.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24638; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24637; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure"; flow:to_server,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; fast_pattern:only; metadata:service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24636; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt"; flow:to_server,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; fast_pattern:only; metadata:service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24608; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page received - specific structure"; flow:to_client,established; file_data; content:"<html><head><title></title></head><body><div "; depth:60; pcre:"/body\x3e\x3cdiv\s[a-z]{3}\x3d\x22[a-z]{3}\x22/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24593; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"try{"; within:20; nocase; content:"}catch("; within:20; nocase; content:"try{"; within:20; content:"}catch("; within:20; content:"=window["; within:100; nocase; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24548; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"try{"; within:20; nocase; content:"}catch("; within:20; nocase; content:"try{"; within:20; content:"}catch("; within:20; content:"=new Array("; within:100; nocase; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24547; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; content:"/bhadmin.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; content:"/bhadmin.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit fallback executable download"; flow:to_server,established; content:"/adobe/update_flash_player.exe"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:"<script"; nocase; content:"|3D 22|constructor|22 3B|var|20|"; distance:0; fast_pattern; nocase; content:"|27 3B|var appVersion_var|3D 22|"; distance:0; nocase; content:"].apply(document_body_var,["; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,jsunpack.jeek.org/?report=bf7e015d53808a6e94365139395d4d29e5d41840; classtype:trojan-activity; sid:24344; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?setup="; nocase; http_uri; content:"&s="; distance:0; nocase; http_uri; content:"&r="; distance:0; nocase; http_uri; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?setup="; nocase; http_uri; pcre:"/setup=[a-z]$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?action="; nocase; http_uri; content:"&h="; distance:0; nocase; http_uri; pcre:"/\&h=\d{5}$/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write("; within:30; content:"php?"; within:75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page Received"; flow:to_client,established; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{10,64}&[a-z]{2,12}=.*?&[a-z]{2,12}=/"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24228; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090"; within:10; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++"; within:20; nocase; content:"}catch("; within:10; nocase; content:"}catch("; within:50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|"; within:20; content:".jar"; within:20; content:"<param/nam="; within:20; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - fewbgazr catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"fewbgazr"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/fewbgazr([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23962; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - hwehes"; flow:to_client,established; file_data; content:"hwehes"; fast_pattern:only; pcre:"/hwehes[a-z0-9]{15,22}hwehes/smi"; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,jsunpack.jeek.org/dec/go?report=b50c0b809c0decade20f7f8a18116d1bdc9cd179; classtype:trojan-activity; sid:23850; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"?page="; fast_pattern:only; http_uri; pcre:"/\?page\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"profile.php?woman="; http_uri; pcre:"/profile\.php\?woman\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; metadata:impact_flag red, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23848; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page request - tkr"; flow:to_server,established; content:".php?"; http_uri; content:"src="; distance:0; http_uri; content:"&gpr="; distance:0; http_uri; content:"&tkr="; distance:0; fast_pattern; http_uri; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/U"; metadata:policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch broken"; flow:to_client,established; file_data; content:"totype"; content:"}catch("; distance:0; pcre:"/totype(\x22|\x27)([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,labs.sucuri.net/?malware; classtype:attempted-user; sid:23619; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page Requested - 8Digit.html"; flow:to_server,established; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,kit.redkit; flowbits:noalert; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and code"; flow:to_client,established; file_data; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; metadata:policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23223; rev:7;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; fast_pattern:only; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit Jar File Naming Algorithm"; flow:to_client,established; content:"Content-Disposition: inline"; nocase; http_header; content:".jar"; fast_pattern; http_header; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; within:2; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23221; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit Requested - 5 digit jar"; flow:to_server,established; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit request to .class file"; flow:to_server,established; content:".class"; http_uri; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit Repeated Exploit Request Pattern"; flow:to_server,established; content:"images.php?t="; fast_pattern:only; http_uri; pcre:"/^images.php\?t=\d{2,7}$/U"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,labs.snort.org/docs/23218.txt; classtype:trojan-activity; sid:23218; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<h"; nocase; content:"><b>Please wait a moment. You will be forwarded.."; within:54; distance:1; nocase; content:"</h"; within:10; content:"></b>|0D 0A|"; within:7; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch("; distance:0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear Pack exploit kit binary download"; flow:to_server,established; urilen:47; content:"/g/"; depth:3; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23157.txt; classtype:trojan-activity; sid:23157; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Nuclear Pack exploit kit landing page"; flow:to_server,established; urilen:43; content:"/index.php?"; fast_pattern:only; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/U"; metadata:policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23156.txt; classtype:bad-unknown; sid:23156; rev:9;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|"; fast_pattern; content:"<param name=|22|WINDOWS|22| value="; distance:0; nocase; content:"<param name=|22|OSX|22| value="; distance:0; nocase; content:"<param name=|22|LINUX|22| value="; distance:0; nocase; content:"<param name=|22|64|22| value="; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:23106; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"src.php?case="; http_uri; pcre:"/src.php\?case\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t="; distance:0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; fast_pattern:only; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; fast_pattern:only; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Phoenix exploit kit post-compromise behavior"; flow:to_server, established; content:"Accept-Encoding: identity, *|3B|q=0"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.0|3B| Windows 98)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; reference:url,contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; classtype:successful-user; sid:21860; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=JavaSignedApplet"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-3552"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-0842"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-0842Helper"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-90-2010-0188"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-80-2010-0188"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-2010-2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call attempt"; flow:to_server,established; content:".php?e=Adobe-2010-1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-2008-2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Java exploit kit iframe drive by attempt"; flow:to_client,established; file_data; content:"function(p,a,c,k,e,d){e=function(c)"; nocase; content:"morale.class"; distance:0; nocase; metadata:service http; reference:cve,2011-3544; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+ThreatBlog%29; classtype:attempted-user; sid:21668; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page Requested - /Index/index.php"; flow:to_server,established; content:"/Index/index.php"; http_uri; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive="; distance:0; content:"code="; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\(\w{3}\)/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21646; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Phoenix exploit kit landing page"; flow:to_client,established; file_data; content:"String.fromCharCode"; nocase; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; fast_pattern:only; content:".jar|27|"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; classtype:attempted-user; sid:21640; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - BBB"; flow:to_client,established; file_data; content:"<h2>BBB loading to show your URGENT complain status.</h2>"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21581; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please Wait.... </h1>"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:7;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit logo transfer"; flow:to_client, established; flowbits:isset,file.jpeg; file_data; content:"|FB 27 68 DE 2D D6 BF E0 AC BF B5 82 78 7B 5C F0|"; content:"|AE 6E 3C CD EE AE BF 33 F5 0F 58 D5 2D 74 3D 2A|"; distance:0; content:"|04 67 82 31 5F 1F 7F C1 62 A7 D4 EC FC 71 FB 31|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:string-detect; sid:21510; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21492; rev:20;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code="; nocase; content:"|20|archive="; distance:0; nocase; content:"display|3A|none|3B|"; distance:0; nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red, ruleset community, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - search.php?page="; flow:to_server, established; content:"/search.php?page="; http_uri; pcre:"/search\.php\?page=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - .php?page="; flow:to_server, established; content:".php?"; http_uri; pcre:"/\.php\?[^=]+?=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21347; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit malicious jar download"; flow:to_client, established; flowbits:isset,blackhole.jar; content:"nginx"; http_header; content:"application/java-archive"; fast_pattern:only; http_header; file_data; content:"Main.class"; content:"Main.classPK"; distance:0; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21346; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit malicious jar request"; flow:to_server, established; content:"content/rin.jar"; fast_pattern:only; http_uri; flowbits:set,blackhole.jar; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21345; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; content:"application/pdf"; fast_pattern:only; http_header; file_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; content:"adp"; fast_pattern; http_uri; content:".php?"; within:5; distance:1; nocase; http_uri; pcre:"/adp\d?\.php\?[fe]=/U"; flowbits:set,blackhole.pdf; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; fast_pattern:only; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:4;)
# alert tcp any $HTTP_PORTS -> any any (msg:"EXPLOIT-KIT Blackhole exploit kit control panel access"; flow:to_client, established; file_data; content:"charset=utf-8|22|/><title>Blackhole v."; pcre:"/[\d\.]+</title>/R"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:policy-violation; sid:21141; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT unknown exploit kit obfuscated landing page"; flow:to_client, established; file_data; content:"[]]}|7C|}{$$$$]}$]]}]]$|7C|$}$]$+]}]/$/]/${$$]$]]]]])$)$|7C|]/$+"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,vrt-blog.snort.org/2012/02/exploit-kit-was-sent-to-you.html; classtype:attempted-user; sid:21108; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; content:"/pdf.php?pdf="; http_uri; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; fast_pattern:only; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; content:"/load.php?spl="; http_uri; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK"; pcre:"/<title>CRiMEPACK [\d\.]+</title>/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; content:"load.php?spl="; fast_pattern:only; http_uri; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; content:"?spl=2"; fast_pattern:only; http_header; content:"/pdf.php"; http_uri; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; content:"?spl="; fast_pattern:only; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; fast_pattern:only; pcre:"/(,\d{1,3}){20}/"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; fast_pattern:only; pcre:"/(#\d{1,2}){20}/"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit post-compromise download attempt - .php?e="; flow:to_server, established; content:".php?e="; http_uri; pcre:"/\/[a-z]\.php\?e=[\da-f]+&f=[\da-f]+$/U"; metadata:impact_flag red, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21043; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit post-compromise download attempt - .php?f="; flow:to_server, established; content:".php?f="; http_uri; pcre:"/\/[a-z]\.php\?f=[\da-f]+&e=[\da-f]+$/U"; metadata:impact_flag red, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21042; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - main.php?page="; flow:to_server, established; content:"/main.php?page="; http_uri; pcre:"/main\.php\?page=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21041; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI - w.php?f="; flow:to_server,established; content:"/w.php?f="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file-scan/report.html?id=52d5b9afeb36a048f139923e57fa3ba0fa6d0f02f8ceb1224ac834ca72932584-1323095217; classtype:trojan-activity; sid:20669; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI - /content/v1.jar"; flow:to_server,established; content:"/content/v1.jar"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file-scan/report.html?id=52d5b9afeb36a048f139923e57fa3ba0fa6d0f02f8ceb1224ac834ca72932584-1323095217; classtype:trojan-activity; sid:20668; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; content:"/stat2.php?w="; nocase; http_uri; content:"i="; distance:0; nocase; http_uri; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/file-scan/report.html?id=567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373-1318617183; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared"; flow:to_client,established; content:"filename="; http_header; content:"mp3"; within:25; http_header; content:"|0D 0A|"; within:4; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27005; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze="; distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:service http; classtype:trojan-activity; sid:27110; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27109; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; content:"filename="; http_header; content:"exe"; within:25; nocase; http_header; content:"|0D 0A|"; within:4; http_header; file_data; content:"PK"; content:".class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27108; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27107; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27106; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var "; fast_pattern; content:"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3B 0A|document.body.appendChild("; within:65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn"; flow:to_server,established; content:"/rhino/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27084; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn"; flow:to_server,established; content:"/jmxbean/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27083; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn"; flow:to_server,established; content:"/flash_atf/"; fast_pattern; http_uri; content:".swf"; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-1535; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27082; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn"; flow:to_server,established; content:"/ie_exec/2.html"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-4969; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27081; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn"; flow:to_server,established; content:"/ff_svg/1.bin"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0757; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27080; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page stage 2"; flow:to_client,established; file_data; content:"global_exploit_list[exploit_idx].resource"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27079; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<html > <head > <title > Loading"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27078; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27072; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27071; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious portable executable download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"c|3A 5C|Soft|5C|cebhlpod.txt"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27069; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Tretre.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27068; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(qwqw){"; fast_pattern:only; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27067; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<link href=|27|"; content:".css|27| rel=|27|stylesheet|27|><link href=|27|"; within:100; content:"{a={plugins|3A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27026; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"|27| value=|27|JTIw"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27143; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"<html><head><script type=|27|text/javascript|27| src=|22|js/PluginDetect.js|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27142; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09| var"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit numerically named exe file dowload"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:4; distance:4; http_header; pcre:"/filename\=\d{4}\.exe$/H"; metadata:policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"counter.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:27242; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page detected"; flow:to_client,established; file_data; content:"<OBJECT CLASSID=|22|clsid|3A|5852F5ED-8BF4-11D4-A245-0080C6F74284|22| width=|22|1|22| height=|22|1|22|><PARAM name=|22|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27241; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"/rhino.php?hash="; fast_pattern:only; http_uri; content:"content-type"; http_header; content:"java-archive"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27274; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit iframe redirection"; flow:established,to_client; file_data; content:"<iframe style=|22|position|3A|fixed|3B|top|3A|0px|3B|left|3A|-550px|3B 22| src="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27273; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer toolkit injected iframe detected - specific structure"; flow:to_client,established; file_data; content:"}catch(dgsgsdg"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27271; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"try{++((document.body))}catch(va){if("; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27603; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:" = jref[ind](nip[|22|charAt|22|](i))|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27602; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit successful Java exploit"; flow:to_server,established; content:"?id="; http_uri; content:"&text="; distance:0; fast_pattern; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27697; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:"</title>|0A|</head>|0A|<body>|0A|<script src="; content:"jquery.js"; within:9; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27696; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:".jnlp|22| /><param name=|22 27|+"; content:"+|27|_embedded|22|"; content:".zip|22| width=|22|10|22|><param name=|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27695; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page"; flow:to_client,established; file_data; content:"position|3A|absolute|3B|top|3A|-1000px|3B|left|3A|-1000px|3B|text-indent|3A|-1000|3B|width|3A|1px|3B|height|3A|1px|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27715; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection injection"; flow:to_client,established; file_data; content:"<!--f04d6c0ecc742ce800a316c742197c6evdrd33vf5rmf60vx-->"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27713; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection injection"; flow:to_client,established; file_data; content:"<!--4db55aefd91c498bc4dd1eddca98a4b5lfvknc5uxdf4g3sa-->"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27712; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit possible jar download"; flow:to_client,established; flowbits:isset,file.jpeg|file.png|file.gif; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; metadata:service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27706; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/wmck.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27705; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/ckwm.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27704; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"ck_wm.indexOf(|22|linux|22|)<=-1"; content:"+expires.toGMTString()|3B|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27702; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Oracle Java Jar file downloaded when zip is defined"; flow:to_client,established; content:"filename="; http_header; content:".zip|0D 0A|"; distance:0; http_header; file_data; content:"PK"; depth:2; content:".class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26292; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Zip file downloaded by Java"; flow:to_server,established; content:".zip"; nocase; http_uri; content:" Java/1"; fast_pattern:only; http_header; flowbits:set,file.exploit_kit.jar; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:27741; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit redirection page"; flow:to_client,established; file_data; content:"|2A 2F|height=|22|"; content:"|22| code=|22|"; within:25; distance:1; content:".class|22| |2F 2A| "; distance:0; fast_pattern; content:".zip|22| width=|22|"; distance:0; content:"|22|><param name=|22|"; within:25; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27739; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<iframe style=|22|position|3A|fixed|3B|top|3A|"; content:"px|3B|left|3A|"; within:25; distance:1; content:"|22| height=|22|"; distance:0; content:"|22| width=|22|"; within:25; content:"></iframe>|27|"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27738; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - specific structure"; flow:to_client,established; file_data; content:"/*/0f2490*/"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27734; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - generic structure"; flow:to_client,established; file_data; content:"try|7B 3B 7D|catch("; content:"){try{"; within:30; metadata:policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27733; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit plugin detection page"; flow:to_client,established; file_data; content:"$(document).ready("; content:"=PluginDetect.getVersion,"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27783; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file download attempt"; flow:to_client,established; flowbits:isset,file.exploit_kit.jar; file_data; content:"PK"; depth:5; content:".class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27816; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit malicious redirection attempt"; flow:to_server,established; content:"/n.php?h="; content:"&s="; distance:0; http_uri; pcre:"/\x2fn\.php\?h=[a-zA-Z0-9]*?\&s=[a-zA-Z0-9]{1,5}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27815; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:7; content:"/i.html"; depth:7; fast_pattern; http_uri; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27814; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page with payload"; flow:to_client,established; file_data; content:"document.write(|27|<applet archive=|22|"; content:".jar|22| code=|22|"; within:50; content:"|22|><param value=|22|http|3A 2F 2F|"; content:!"|22|"; within:60; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27813; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit redirection"; flow:to_server,established; content:"/8jxtl5i/"; depth:9; http_uri; urilen:>63; pcre:"/\x2f\?[0-9a-f]{60,66}[\x3b\d]*$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27810; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:27907; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - readme.dll"; flow:to_client,established; content:"filename="; http_header; content:"readme.dll"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27898; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - calc.dll"; flow:to_client,established; content:"filename="; http_header; content:"calc.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27897; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.dll"; flow:to_client,established; content:"filename="; http_header; content:"contacts.dll"; within:13; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27896; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27895; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - about.dll"; flow:to_client,established; content:"filename="; http_header; content:"about.dll"; within:10; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27894; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2008-2992; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27893; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader"; flow:to_server,established; content:"/a.php?e=2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2008-2992; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27892; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit secondary payload"; flow:to_server,established; content:"/p1.exe"; fast_pattern:only; http_uri; content:"p1.exe HTTP/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27891; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit secondary payload"; flow:to_server,established; content:"/m1.exe"; fast_pattern:only; http_uri; pcre:"/\/m1\.exe$/U"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27890; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=900188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27889; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=800188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27888; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27887; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-1297; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27886; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/dl.exe"; fast_pattern:only; http_uri; content:"dl.exe HTTP/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Oracle Java"; flow:to_server,established; content:"/TobyClass.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27883; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player"; flow:to_server,established; content:"/a.php?e=2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27882; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player"; flow:to_server,established; content:"/a.php?e=1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-1297; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27881; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 9"; flow:to_server,established; content:"/a.php?e=900188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27880; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 8"; flow:to_server,established; content:"/a.php?e=800188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27879; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit landing page"; flow:to_client,established; file_data; content:"(z){h=|22|harCode|22 3B|f=["; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27878; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit landing page"; flow:to_client,established; file_data; content:"[|22|s|22|+|22|u|22|+|22|bs|22|+|22|t|22|+|22|r|22|]"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27877; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download"; flow:to_client,established; content:"Content-Type|3A 20|audio/mpeg"; fast_pattern:only; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27876; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit"; flow:to_client,established; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27875; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit outbound payload download attempt"; flow:to_server,established; content:".html1.zip"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27873; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page"; flow:to_client,established; file_data; content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px}</style><div>"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27866; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request"; flow:to_server,established; urilen:>32; content:".php"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/U"; content:!"PacketShaper"; http_header; content:!"siteadvisor.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit portable executable download"; flow:to_client,established; flowbits:isset,file.pe.styx; content:"filename="; http_header; content:".exe"; within:4; distance:11; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27936; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|"; within:15; content:".innerHTML.length|3B|"; content:"+=2)"; within:15; pcre:"/for\x28(?P<var>\w+)=0\x3b(?P=var)<(?P<var2>\w+)\.innerHTML.length\x3b(?P=var)\+=2\x29\x20\w+\+=\w+\x28(?P=var2)/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27935; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>notredkit<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27912; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>X2O<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27911; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit successful redirection"; flow:to_client,established; file_data; content:"<iframe src=|27|http|3A 2F 2F|"; content:"|3A|8509|2F|"; distance:0; fast_pattern; content:"|27| border=0 width="; distance:0; content:"height="; within:25; content:"scrolling=no></iframe>"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28038; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude/Popads/Nuclear exploit kit jnlp request"; flow:to_server,established; urilen:71; content:".jnlp"; http_uri; content:"User-Agent|3A 20|JNLP"; fast_pattern:only; http_header; pcre:"/^\/[a-z0-9]{32}\/[a-z0-9]{32}\.jnlp/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28029; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>250; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28028; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:28026; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - IFRAMEr injection tool"; flow:to_client,established; file_data; content:"p=parseInt|3B|ss=String|3B|asgq=|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28022; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"relay.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28021; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"rel.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"esd.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28019; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"count.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28018; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"cnt.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28017; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"clicker.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28016; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT g01pack exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe src=|22|http|3A 2F 2F|"; content:"|22| style=|22|border|3A|0px #FFFFFF none|3B 22| name=|22|test|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28015; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit post Java compromise download attempt"; flow:to_server,established; urilen:35; content:" Java/1."; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[0-9]$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28111; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt"; flow:to_server,established; urilen:70; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28109; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Adobe Flash exploit download attempt"; flow:to_server,established; urilen:70; content:".swf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28108; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana exploit kit redirection attempt"; flow:to_server,established; content:".js?cp="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{8}\.js\?cp\x3d/Umi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28138; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/JavaSignedApplet.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28199; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-3552.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28198; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-0842Helper.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28197; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-0842.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28196; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT X2O exploit kit post java exploit download attempt"; flow:to_server,established; urilen:13; content:"/blog/"; http_uri; content:" Java/1."; fast_pattern; http_header; pcre:"/^\/blog\/[a-zA-Z0-9]{3}\.(g(3|e)d|mm|vru|be|nut)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28195; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>Adikj<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28194; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection received"; flow:to_client,established; file_data; content:"<iframe src=|22|http|3A 2F 2F|"; content:"|3A|85|2F|"; within:30; content:"|22| width=|22|0|22|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28213; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kits malicious pdf download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pdf; file_data; content:"%PDF-"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28238; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt"; flow:to_server,established; content:".pdf"; fast_pattern; http_uri; content:"Referer|3A|"; http_header; pcre:"/\/[0-9a-f]{32}\/[0-9]{10}\.pdf$/U"; pcre:"/Referer\x3a.*?\.html\x0d\x0a/H"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28237; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude/Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"</adress><br>"; content:"<cite>"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28236; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28233; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28291; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page attempt"; flow:to_server,established; content:".php?catalogp="; fast_pattern:only; pcre:"/\.php\?catalogp\=\d{2}$/U"; content:"Referer"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28265; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit java compromise successful"; flow:to_server,established; content:".php?"; http_uri; content:"&special="; distance:0; http_uri; content:"&alert="; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28264; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=rhi"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28310; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=jre"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28309; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Adobe Reader compromise"; flow:to_server,established; content:".php?ex=ad"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:!"&os="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28308; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Himan exploit kit landing page"; flow:to_client,established; file_data; content:"if ((jver >= 600) && (jver < 627)) {"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-2465; reference:cve,2013-2551; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28307; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt"; flow:to_server,established; urilen:81; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28414; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt"; flow:to_client,established; file_data; content:"element.style.left=|27|-"; content:"px|27 3B|element.style.top=|27|-"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28413; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt"; flow:to_server,established; urilen:<25; content:".ld"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\.ld$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28450; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".ee"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.ee$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit zip file download"; flow:to_server,established; content:".zip"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+/\d\.zip$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28430; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt"; flow:to_server,established; urilen:15; content:".jnlp"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-z0-9]{9}\.jnlp$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28429; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Glazunov exploit kit landing page"; flow:to_client,established; file_data; content:"= |22|applet|22 3B 20|"; content:"= |22|object|22 3B 20|"; within:50; content:"=|27|param|27 3B 20|"; within:50; content:".zip|27 3B| </script>"; distance:0; pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28428; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; content:".tpl"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2551; classtype:trojan-activity; sid:28424; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit single digit exe detection"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:6; fast_pattern; http_header; pcre:"/filename=[\x22\x27]?\d\.exe[\x22\x27]?/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28423; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; fast_pattern; http_uri; pcre:"/^\/i.html\?[a-z0-9]{4}\x3D[a-z0-9]{15}/smiU"; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:125; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28478; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound pdf request"; flow:to_server,established; urilen:<25; content:".pdf"; http_uri; content:"/i.html?"; fast_pattern:only; http_header; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28477; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request by Java - generic detection"; flow:to_server,established; urilen:21<>39; content:":8000"; fast_pattern:only; http_header; content:" Java/1."; http_header; pcre:"/\/[a-z]+\?[a-z]+\=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28476; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:":8000/"; fast_pattern:only; http_header; content:"Referer"; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28475; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound plugin detection response - generic detection"; flow:to_server,established; urilen:<18,norm; content:"POST"; http_method; content:"Referer|3A|"; http_header; content:"|3A|8000/"; distance:0; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28474; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit payload download attempt"; flow:to_server,established; urilen:15; content:"/1"; depth:2; fast_pattern; http_uri; pcre:"/^\/1[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:!"Referer"; http_header; content:!"Host|3A| fb.me|0D 0A|"; http_header; metadata:service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28616; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit exploit download attempt"; flow:to_server,established; urilen:15; content:"/0"; depth:2; fast_pattern; http_uri; pcre:"/^\/0[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:"User-Agent|3A|"; http_header; content:!"Referer"; http_header; flowbits:set,file.exploit_kit.jar; flowbits:set,file.exploit_kit.silverlight; metadata:service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28615; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"type=|22|application/x-silverlight-2|22|"; content:"<param name=|22|source|22| value=|22|/0"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28614; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<title>|0D 0A 20 20|Microsoft apple.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28613; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Silverlight exploit download"; flow:to_client,established; flowbits:isset,file.exploit_kit.silverlight; file_data; content:"PK"; content:"AppManifest.xaml"; distance:0; content:".dll"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28612; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".rtf"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.rtf$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28611; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retreive attempt"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.doc$/U"; flowbits:set,file.sakura_kit; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:28610; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download"; flow:to_client,established; flowbits:isset,file.sakura_kit; file_data; content:"secretsecretsecretsecretsecretsecret"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28609; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit Atomic exploit download - specific-structure"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main-Class|3A| atomic.Atomic"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28608; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit payload request"; flow:to_server,established; urilen:24<>26,norm; content:"/f/"; fast_pattern:only; http_uri; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28596; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Oracle Java jar file retrieval"; flow:to_server,established; urilen:25<>26,norm; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d{9,10}\/1\d{9}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28595; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; urilen:26,norm; content:".tpl"; fast_pattern:only; http_uri; pcre:"/^\/\d{10}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28594; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28593; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit possibly malicious iframe embedded into a webpage"; flow:to_client,established; file_data; content:"name=Twitter scrolling=auto frameborder=no align=center height="; content:" width="; within:20; content:" src=http|3A 2F 2F|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28798; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt"; flow:to_client,established; file_data; content:"binkeybinkeybinkeybinkeybinkeybinkey"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,vrt-blog.snort.org/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28797; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT iFRAMEr successful cnt.php redirection"; flow:to_server,established; content:"/cnt.php?id="; fast_pattern:only; http_uri; content:"Referer|3A 20|"; http_header; pcre:"/^\/cnt\.php\?id=\d+$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,vrt-blog.snort.org/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28796; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0507; reference:url,vrt-blog.snort.org/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:":8000"; fast_pattern:only; http_header; content:"Referer"; http_header; pcre:"/\x2f[a-z]+\?[a-z]+=\d{6,7}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28911; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string"; flow:to_server,established; content:"/tx.exe"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28969; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound flash exploit retrieval attempt"; flow:to_server,established; content:"/fla.swf"; fast_pattern:only; http_uri; content:"x-flash-version|3A 20|"; http_header; pcre:"/Referer\x3a[^\n]*fla\.php\?wq=[a-f0-9]+\x0d\x0a/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28968; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection"; flow:to_server,established; urilen:>100; content:".php?hgfc="; fast_pattern:only; http_uri; pcre:"/\.php\?hgfc\=[a-f0-9]+$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28967; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound POST connection"; flow:to_server,established; content:"POST"; http_method; content:"hyt="; depth:4; http_client_body; content:"&vre="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT HiMan exploit kit Flash Exploit landing page"; flow:to_client,established; file_data; content:"flash_version != null && flash_version[0] < 116000"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28963; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit jar exploit download"; flow:to_server,established; content:".html?jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\.html\?jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit Silverlight plugin outbound connection attempt"; flow:to_server,established; content:"html?sv="; fast_pattern:only; http_uri; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29002; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SPL2 exploit kit landing page detection"; flow:to_client,established; content:"$$.getVersion(|22|Silverlight|22|)|3B|"; content:"$$.getVersion(|22|Java|22|)"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt"; flow:to_server,established; urilen:<16; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/\d{1,2}(?P<letter>[A-Z])\d{1,2}(?P=letter)\d{1,2}(?P=letter)\d{1,2}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29131; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload download attempt"; flow:to_server,established; urilen:13; content:" Java/1."; fast_pattern:only; http_header; pcre:"/^\/\d{4}\/\d{7}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29130; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar exploit download - specific structure"; flow:to_server,established; content:"/hanger.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29129; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29128; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit XORed payload download attempt"; flow:to_client,established; file_data; content:"|7C 68 A3 34 36 36 37 38 35 32 33 34 CA C9 37 38|"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/12/cve-2013-5329-or-cve-2013-5330-or.html; classtype:trojan-activity; sid:29066; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D 0A|"; fast_pattern:only; http_header; content:"filename="; http_header; content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_server,established; content:"/loadmsie.php?id="; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29166; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound jar request"; flow:to_server,established; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-f0-9]{32}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29165; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound flash request"; flow:to_server,established; content:".swf"; http_uri; content:"x-flash-version|3A|"; http_header; content:"Referer"; http_header; content:"flash.php?id="; distance:0; http_header; pcre:"/\/[a-f0-9]{32}\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29164; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound exploit request"; flow:to_server,established; content:".php?id="; http_uri; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=[a-f\d]{20}/iU"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29163; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request"; flow:to_server,established; urilen:34; content:"/?"; depth:2; fast_pattern; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header; content:!"Referer|3A|"; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29189; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit embedded open type font file request"; flow:to_server,established; urilen:37; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29188; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound pdf request"; flow:to_server,established; urilen:<27; content:".pdf"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^\/\d{8,11}\/1[34]\d{8}\.pdf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[\w_]{32,}\.html\r$/Hsm"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29187; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound connection"; flow:to_server,established; urilen:<28; content:"/1"; http_uri; content:".htm"; distance:0; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^(\/\d{8,11})?(\/\d)?\/1[34]\d{8}\.htm$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29186; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"nib|28 27|http|3A 2F 2F|"; content:".mp3|27 29 3B|"; within:25; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29361; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"4Um3S0Vm3"; depth:15; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29360; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:>100; content:".eot"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:!"|0D 0A|"; within:100; content:"/fnts.html"; distance:0; http_header; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29453; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; http_uri; pcre:"/\/i\.html\?[a-z0-9]+\=[a-zA-Z0-9]{25}/U"; flowbits:set,styx_landing; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29452; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound connection attempt"; flow:to_server,established; content:"/?id=ifrm"; fast_pattern:only; http_header; content:"/?"; depth:2; http_uri; pcre:"/\/\?[a-z0-9]{9}\=[a-zA-Z0-9]{45}/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29450; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; flowbits:isset,styx_landing; file_data; content:"<textarea id=|22|"; content:"|22|>"; within:10; isdataat:300,relative; content:!"</textarea>"; within:300; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29449; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<app|27|+|27|let archive=|22|"; content:".jar|22| code=|22|"; distance:0; content:"<param val|27|+|27|ue=|22|http|3A 2F 2F|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29448; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download - scandsk.exe"; flow:to_client,established; content:"attachment|3B|"; http_header; content:"scandsk.exe|0D 0A|"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:29447; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>100; content:".jar"; fast_pattern:only; http_uri; content:"Cookie"; http_header; content:!"|0D 0A|"; within:100; content:" Java/1"; http_header; pcre:"/\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29446; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit fonts download page"; flow:to_server,established; content:"/fnts.html"; fast_pattern:only; http_uri; pcre:"/\/fnts\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29445; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download"; flow:to_client,established; content:"flashplayer11_"; http_header; file_data; content:"MZ"; depth:2; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29444; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit outbound connection attempt"; flow:to_server,established; urilen:>70; content:"User-Agent|3A|"; http_header; content:"/"; depth:2; offset:8; http_uri; content:!"&"; http_uri; content:!"details"; http_uri; content:!"weather"; http_uri; content:!"texture"; http_uri; content:!"mailing"; http_uri; content:!"captcha"; http_uri; content:!"/counters/"; http_uri; content:!"/results/"; http_uri; pcre:"/^\/\/?[a-z0-9_]{7,8}\/\??[0-9a-f]{60,68}[\x3b\x2c\d+]*$/U"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.silverlight&file.exploit_kit.flash; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:29443; rev:14;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|7D 6B F8 64 76 74 6E 66|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29414; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E F2 32 30 34 6E 68|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29413; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit Java download attempt"; flow:to_server,established; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_-]{48}$/Ui"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29412; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"navigator.userAgent.indexOf(|27|Firefox|27|)>=0|7C 7C|navigator.userAgent.indexOf(|27|MSIE|27|)>=0))"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29411; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older"; flow:to_server,established; content:".php?a=h7"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30009; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP"; flow:to_server,established; content:".php?a=h6"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30008; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17 "; flow:to_server,established; content:".php?a=h5"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30007; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP"; flow:to_server,established; content:".php?a=h4"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30006; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17"; flow:to_server,established; content:".php?a=h3"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30005; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17"; flow:to_server,established; content:".php?a=h2"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30004; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit Java download attempt"; flow:to_server,established; content:".php?a=r"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30002; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected"; flow:to_client,established; file_data; content:"document.createElement(|22|iframe|22|)"; fast_pattern:only; content:".width"; content:".height"; content:".style.visibility"; within:50; content:".php"; within:300; content:".appendChild("; within:500; pcre:"/var\s(?P<name>\w+)\s?=\s?document\.createElement\x28\x22iframe\x22\x29.*?(?P=name)\.style\.visibility.*?(?P=name)\.src\s?=\s?[\x22\x27][^\x22\x27]*\.php.*?\.appendChild\x28(?P=name)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30001; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload delivery - specific string"; flow:to_client,established; content:"filename="; http_header; content:"very.mhh"; within:12; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30134; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"frameborder=|22|NO|22| framespacing=|22|0|22| border=|22|0|22|><frame name="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30133; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(?:\/\d)?\/1[34]\d{8}(?:\/\d{9,10})?(?:\/\d)+[^a-zA-Z]{1,6}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30220; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound jar request"; flow:to_server,established; content:"/1"; http_uri; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^(?:\/\d{9,10})?(?:\/\d)?\/1[34]\d{8}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30219; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit Oracle Java file download"; flow:to_client,established; content:"filename="; nocase; http_header; content:"FlashPlayer.jar"; within:17; fast_pattern; http_header; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\?rnd=\d+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30319; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"<html><th>Wait Please...</th><body>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30317; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:".xml|22| name=|22|jnlp_href|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30316; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT WhiteLotus exploit kit plugin outbound detection"; flow:to_server,established; urilen:32; content:"POST"; http_method; content:"v="; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"&w="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30312; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SofosFO/Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30306; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:>32; content:" Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9]){32}[\/_]*?\/\d+?$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30768; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:66; content:" Java/1."; http_header; pcre:"/^\/(?:[a-f0-9]{32}\/[a-f0-9]{32})$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30767; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit landing page"; flow:to_client,established; file_data; content:"<EMBED code="; content:"archive=|22|http|3A 2F 2F|"; distance:0; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\x22/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30766; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - base64 encoded xml/jnlp statement"; flow:to_client,established; file_data; content:"Cjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+CjxqbmxwIHNwZWM9IjEuMCIgeG1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30852; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java"; flow:to_server,established; urilen:<50,norm; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\d+\.mp3$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30878; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound PDF request"; flow:to_server,established; content:".pdf"; http_uri; content:"/1/1"; fast_pattern:only; http_uri; content:".html"; http_header; pcre:"/^\/\d{9,10}\/1\/1\d{9}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30937; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure"; flow:to_server,established; content:".php?req="; fast_pattern; nocase; http_uri; content:"&PHPSSESID="; distance:0; http_uri; pcre:"/\.php\?req=(?:x(?:ap|ml)|swf(IE)?|mp3|jar)\&/Ui"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30936; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|3A|stroke id="; fast_pattern:only; content:"|3B|function pop(koz)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30935; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|89 B4 F4 6A 24 1F 46 14|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30934; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; urilen:72; content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30920; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request"; flow:to_server,established; content:"/testi.jnlp"; content:" Java/1."; distance:0; metadata:impact_flag red, service http; classtype:trojan-activity; sid:30960; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"<script>"; content:"var "; within:4; distance:1; content:"|27|toString|27|"; distance:0; pcre:"/var\s+(?P<name>\w+)\=function\(.*?\x27\x2b(?P=name)\(\d+\x29/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30976; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"document.write"; content:"archive="; distance:0; content:".jar"; distance:0; pcre:"/\/[a-f0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30975; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload request"; flow:to_server,established; content:"/load"; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/load(?:(?:db|rh|silver|msie|im|flash|fla[0-9]{4,5}))\.php/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Silverlight landing page"; flow:to_server,established; content:"/silver.php"; fast_pattern:only; http_uri; flowbits:set,critx_font; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30972; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Oracle Java landing page"; flow:to_server,established; content:"/java"; fast_pattern:only; http_uri; pcre:"/\/java(rh|db)\.php$/U"; flowbits:set,critx_java; metadata:service http; classtype:trojan-activity; sid:30971; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Adobe Flash landing page"; flow:to_server,established; content:"/flash201"; fast_pattern:only; http_uri; pcre:"/\/flash201(3|4)\.php$/U"; flowbits:set,critx_flash; metadata:service http; classtype:trojan-activity; sid:30970; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Internet Explorer landing page"; flow:to_server,established; content:"/msie.php"; fast_pattern:only; http_uri; flowbits:set,critx_ie; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30969; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to font exploit"; flow:to_client,established; flowbits:isset,critx_font; file_data; content:"/x-silverlight-2"; content:".eot"; distance:0; content:"aHR0cDov"; distance:0; pcre:"/^[\w+\/]+(?:(?:LmVvdA|5lb3Q)==?|uZW90)[\x22\x27]/Rsi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30968; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"createFlashMarkup"; content:".swf"; distance:0; pcre:"/[a-zA-Z0-9]\/[a-f0-9]{5}\.swf[\x22\x27]/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30967; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Microsoft Internet Explorer exploit"; flow:to_client,established; flowbits:isset,critx_ie; file_data; content:"behavior:url(#default#VML"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"jnlp_embedded"; content:"C9qbmxwPg=="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30965; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:70<>82; content:"= HTTP/"; fast_pattern:only; content:"User-Agent"; http_header; pcre:"/^\/[-\w]{70,78}==?$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:service http; classtype:trojan-activity; sid:31046; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|21 3B E3 70 65 6E 66 64|"; depth:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31130; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E F2 32 30 34 6E 68|"; depth:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31129; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound swf request"; flow:to_server,established; content:"/1"; http_uri; content:".swf"; fast_pattern:only; http_uri; pcre:"/^(?:\/\d{9,10})?(?:\/[16])?\/1[34]\d{8}\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31237; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound jar request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/modules\/\d\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31232; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/load_module.php?user="; fast_pattern:only; http_uri; pcre:"/\/load_module\.php\?user\=(n1|1|2|11)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31231; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/add_visitor.php?referrer=http://"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31230; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31229; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"#default#VML"; fast_pattern:only; content:"*/var "; isdataat:500,relative; content:"|3B|function "; within:50; pcre:"/\x3bfunction\s(?P<name>\w)\x28.*\x3b(?P=name)\x28\x22[\da-z]+\x22\x29\x3b/"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:31298; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit decryption page outbound request"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\sHTTP/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31279; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".mkv"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.mkv/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31278; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle Java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".djvu"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.djvu/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31277; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:35; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\/\d+\.\d+\.\d+\.\d+\//"; flowbits:set,file.exploit_kit.flash; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0634; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31276; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit landing page"; flow:to_client,established; content:"*/adv=|27|OrbitWhite|27|/* "; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31275; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit encrypted binary download"; flow:to_client,established; content:"filename="; content:".jat"; distance:0; pcre:"/filename=[a-z]+\.jat/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31274; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:65,norm; content:"User-Agent"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{64}$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:31332; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E C2 32 61 34 6E 68|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31331; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body style=|22|margin|3A|0px|3B 22|><body style=|22|margin|3A|0px|3B 22|>"; fast_pattern:only; content:"<iframe src=|22|http|3A 2F 2F|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31372; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:"Cache-Control|3A 20|no-cache|0D 0A 0D 0A|"; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1\.[^\x2f]+Host\x3a\x20[^\x3a]+\x3a\d+\x0d\x0a/"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31371; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit redirection page"; flow:to_client,established; file_data; content:"var|20|"; content:"|3B 20|var|20|"; within:20; distance:5; content:"|3B 20|if(!Array.prototype.indexOf){"; within:50; distance:5; content:"this.length|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31370; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; pcre:"/^\/\d{2,4}\.xap$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31369; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request"; flow:to_server,established; content:".x HTTP/1."; fast_pattern:only; content:" MSIE "; http_header; content:!"Referer"; nocase; http_header; flowbits:set,file.exploit_kit.silverlight; flowbits:noalert; metadata:service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31701; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit landing page detection"; flow:to_client,established; file_data; content:"<li class=|22|is-new|22|>"; content:"<a href=|22|show.php"; within:17; distance:1; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31700; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|71 75 B9 86 D8 51 1B 7B|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31699; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 36 F4 6F 6D 6A 66 67|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31695; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B 28 FF 53 4B 75 39 68|"; depth:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31694; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page detected"; flow:to_client,established; file_data; content:"=|22|1|3B|url=about|3A|Tabs|22 20|http-equiv"; fast_pattern:only; content:"|5C|x72|5C|x65|5C|x70|5C|x6C|5C|x61|5C|x63|5C|x65"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31692; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detection"; flow:to_client,established; file_data; content:"=|27|+|27 20 22|re|27|+|27|pl|27|+|27|ac|27|+|27|e|22 3B 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31734; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt"; flow:to_client,established; content:"jquery_datepicker"; fast_pattern:only; pcre:"/(var jquery_datepicker=)|(jquery_datepicker.replace)/"; metadata:impact_flag red, service http; reference:url,malware-traffic-analysis.net/2014/08/18/index.html; classtype:trojan-activity; sid:31770; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port"; flow:to_server,established; content:"/stargalaxy.php?nebula="; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31769; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"ZWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31903; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"CWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31902; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected"; flow:to_client,established; file_data; content:"9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31901; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected"; flow:to_client,established; file_data; content:"nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31900; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected"; flow:to_client,established; file_data; content:"SYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6Qty"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31899; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|22 29 3B 0A 0D 0A|</script>"; fast_pattern; content:"</script>|0A|<script>"; within:150; content:"|0A 0D 0A|</script>|0D 0A|<h"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31898; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8087 (msg:"EXPLOIT-KIT Scanbox exploit kit exfiltration attempt"; flow:to_server,established; content:"projectid="; depth:10; nocase; content:"&seed="; within:40; nocase; content:"&ip="; within:40; nocase; content:"&referrer="; within:40; nocase; content:"&agent="; within:40; nocase; content:"&location="; within:250; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31859; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_server,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31858; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_client,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31857; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit redirection attempt"; flow:to_server,established; urilen:>60,norm; content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Referer|3A 20|"; http_header; content:"x-req|3A 20|"; fast_pattern; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31970; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit landing page"; flow:to_client,established; file_data; content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f"; distance:0; fast_pattern; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31965; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"expires=|22|+expires.toGMTString()"; nocase; content:"51yes.com/click.aspx?"; fast_pattern; nocase; content:"|22|gb2312|22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31988; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32390; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Oracle Java request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/14\d{8}(.jar)?$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32389; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"*/ new Function(|22|"; content:"|22|,|22|if("; within:20; content:" != |27 27|){"; pcre:"/new\sFunction\x28\x22(?P<a1>\w+)\x22\,\x22if\x28(?P=a1)\x20/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32388; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit jar file download"; flow:to_client,established; content:"filename="; content:".swf"; within:4; distance:8; file_data; content:"PK|03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32387; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound structure"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-9]+(\x3b\d)+?)?$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32386; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound Oracle Java request"; flow:to_server,established; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:" Java/1."; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:32399; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request"; flow:to_server,established; content:"/Plugin.jar"; http_uri; content:" Java/1."; http_header; content:"="; depth:1; offset:32; http_cookie; pcre:"/[a-f0-9]{32}=[a-f0-9]{32}/C"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32555; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hellspawn exploit kit landing page detected"; flow:to_client,established; file_data; content:"weCameFromHell(|27|<applet name=|22|Update Java"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32554; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port"; flow:to_server,established; content:"GET"; content:".jnlp HTTP/1.1"; distance:0; content:" Java/1."; content:"Host"; content:"|3A|"; distance:0; pcre:"/(applet|testi)\.jnlp\sHTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32641; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection"; flow:to_server,established; content:"GET /"; content:".php?"; fast_pattern:only; pcre:"/\w+\.php\?\w+\=\d+\s*HTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32640; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port"; flow:to_server,established; content:"GET"; content:".jar HTTP/1.1"; distance:0; content:" Java/1."; content:"Host|3A|"; pcre:"/Host\x3a[^\n]+\x3a\d+\r\n/"; metadata:service http; classtype:trojan-activity; sid:32639; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port"; flow:to_server,established; content:"GET /"; content:"x-flash-version|3A 20|1"; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; pcre:"/Referer\x3a[^\n]+\x3a\d+\x2f/"; metadata:service http; classtype:trojan-activity; sid:32638; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT known malicious javascript packer detected"; flow:to_client,established; file_data; content:"function|28 2F 2A|"; content:"|2A 2F|p,|2F 2A|"; within:25; content:"|2A 2F|a,|2F 2A|"; within:25; content:"|2A 2F|c,|2F 2A|"; within:25; content:"|2A 2F|k,|2F 2A|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/; classtype:misc-activity; sid:32804; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CK exploit kit landing page"; flow:to_client,established; file_data; content:"=|22|i|22|+|22|m|22|+|22|g|22 3B|"; content:"=|22|s|22|+|22|r|22|+|22|c|22 3B|"; within:14; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32803; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; urilen:>36; content:"/ABs"; fast_pattern:only; http_uri; pcre:"/^\/ABs[A-Za-z0-9]+$/U"; flowbits:set,Nuclear; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32880; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit payload delivery"; flow:to_client,established; flowbits:isset,Nuclear; content:"X-Powered-By|3A 20|"; http_header; content:"application/octet-stream"; http_header; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:"filename="; distance:0; http_header; pcre:"/filename=[a-z0-9]+\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32879; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32878; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/13"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}(?:\.swf)$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32877; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})(?:\.xap)$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32876; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit Adobe Flash download"; flow:to_client,established; flowbits:isset,file.nuclear.flash; content:"x-shockwave-flash"; http_header; content:"filename="; distance:0; http_header; content:".swf"; distance:0; http_header; pcre:"/filename\=\d+\.swf/H"; content:"ZWS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32995; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; file_data; content:"|12 73 00 00 62 05 24 01 C5 25 FF 01 A8 63 05 62 03 62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33187; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8 63 06|"; content:"|62 06 66 01 25 FF 01 A8 C5 25 FF 01 A8 63 09|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33186; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B C7 6A 1E 7C C2 43 EA|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33185; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash download"; flow:to_client,established; content:"Expires|3A| Sat, 26 Jul 2007 05|3A|00|3A|00 GMT"; fast_pattern:only; http_header; content:"x-shockwave-flash"; nocase; http_header; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33184; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2039"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33183; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request"; flow:to_server,established; urilen:49,norm; content:"Referer"; http_header; content:"x-flash-version|3A|"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{48}$/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33182; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33274; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33273; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33272; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33271; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|80 E2 3F 18 CF F1 3D 00 C4 1C 6E 7A 9F A6 2F 5D 04 11 2E BF C5 79 FC FC 26 2F F0 88 C6 76 1D C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33286; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"allowScriptAccess=always"; fast_pattern:only; content:"param name=FlashVars"; nocase; content:"value"; within:25; nocase; content:"exec="; within:25; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:33292; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound uri structure"; flow:to_server,established; urilen:27; content:"/lists/"; fast_pattern:only; http_uri; pcre:"/^\/lists\/\d{20}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33663; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>170,norm; content:"/?"; depth:2; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33906; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>220,norm; content:"/index.php?"; depth:11; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; content:"/?"; http_header; content:"=l3S"; http_header; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33905; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit obfuscated file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A 3F 0B D4 6C 4F 48 61 50|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33983; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"</script></head>|0D 0A|<body>|0D 0A|<h"; fast_pattern:only; content:"<textarea id=|27|"; content:"|27| title=|27|"; within:25; content:"|27| name=|27|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33982; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit flash file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A|ZWS"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33981; rev:2;)