exploit-kit.rules

# Copyright 2001-2015 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------------
# EXPLOIT-KIT RULES
#-------------------

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; urilen:>60,norm; content:"GET"; content:". HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; flowbits:noalert; metadata:ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jnlp request"; flow:to_server,established; urilen:18; content:".jnlp"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9]{12}\.jnlp$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26964; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jar request"; flow:to_server,established; urilen:14; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-f0-9]{9}\.jar$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26963; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit portable executable download"; flow:to_client,established; file_data; content:"|4F CF 6A BC A1 03 01 00 69|"; depth:9; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26962; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit landing page"; flow:to_client,established; file_data; content:"<iframe style="; content:"z-index|3A| -1"; within:11; distance:1; content:"scrolling="; content:"no"; within:2; distance:1; content:"src="; within:4; distance:2; content:"http|3A 2F 2F|"; within:7; distance:1; content:"mt"; within:50; distance:10; content:" id="; within:4; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26960; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 4"; flow:to_server,established; content:".php?exp=rhino&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26959; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 3"; flow:to_server,established; content:".php?exp=atom&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 2"; flow:to_server,established; content:".php?exp=lib&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26957; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 1"; flow:to_server,established; content:".php?exp=byte&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26956; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request"; flow:to_server,established; content:"/.cache/?f="; fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=s"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:26950; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0"; within:1; distance:1; content:" height="; within:8; distance:1; content:"0"; within:1; distance:1; content:" code="; within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase; content:" archive="; within:9; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=site.jar"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit malware download"; flow:to_server,established; content:"/load.php?e="; http_uri; content:"&ip="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26897; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Plugin detection response"; flow:to_server,established; content:"/gate.php?ver="; http_uri; content:"&p="; distance:0; http_uri; content:"&j="; distance:0; http_uri; content:"&f="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26896; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Java V7 exploit download"; flow:to_server,established; content:"/j07.php?i="; fast_pattern:only; http_uri; content:" Java/1.7"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26895; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Java V6 exploit download"; flow:to_server,established; content:"/j161.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26894; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit landing page"; flow:to_client,established; file_data; content:"<script src="; content:"js/js.js"; distance:1; content:"AdobeReader"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26893; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26838; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26814; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Redkit exploit kit short jar request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; content:"content-type|3A| application/x-java-archive"; http_header; pcre:"/^\/[a-z0-9]{1,4}\.jar$/U"; content:!"cbssports.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; content:".jnlp"; fast_pattern:only; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|"; depth:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:"<applet><param name=|22|jnlp_href|22| value=|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/; classtype:trojan-activity; sid:26653; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT unknown exploit kit script injection attempt"; flow:to_client,established; file_data; content:"|22|+escape|28|"; depth:100; content:".charCodeAt|28|"; distance:0; content:"</script>id="; within:64; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit successful redirection - jnlp bypass"; flow:to_server,established; content:"php?jnlp="; fast_pattern:only; http_uri; pcre:"/php\?jnlp\=[a-f0-9]{10}($|\x2c)/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26541; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"try{document.body-=12|3B|}catch(dv32r3)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26540; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit pdf download detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<< /CreationDate (D|3A|20130404171020)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26539; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit landing page received"; flow:to_client,established; file_data; content:"<html><body></body><input id=|27|"; content:"|27| value=|27 25|"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26538; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit jar download detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main.class"; content:"NOnoa.class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26537; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"<applet  archive="; content:".jar"; within:30; distance:5; content:"  code="; within:30; content:".class"; within:30; distance:5; content:" width="; within:30; content:"  height="; within:25; content:"<param"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26536; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value="; distance:0; content:"PD"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26535; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit portable executable download"; flow:to_server,established; content:"/elections.php?"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt"; flow:to_server,established; content:"/info/last/index.php"; fast_pattern:only; http_uri; pcre:"/^Host:\s*?[a-f0-9]{63,64}\./Him"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26527; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"|2F 2A 14 20|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit redirection structure"; flow:to_client,established; file_data; content:"<iframe id="; content:"frmstyle"; within:8; distance:1; content:" src="; within:5; distance:1; content:"http|3A 2F 2F|"; within:7; distance:1; content:" height="; within:250; content:"frameborder=0></iframe>"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26511; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bottom.class"; content:"Bottom10.class"; distance:0; content:"Bottom11.class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26509; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26508; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit jar file downloaded"; flow:to_client,established; file_data; content:"Suburb.class"; content:"Suburb013.class"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26434; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?j="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?j\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26384; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?i="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?i\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26383; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; urilen:8; content:".jar"; http_uri; content:" Java/1"; http_header; content:"content-type|3A| application/x-java-archive"; fast_pattern:20,20; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"=new Array|3B|EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26368; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Egypack exploit kit outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Egypack/1."; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26367; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"<script language=|22|JavaScript|22|>var EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26366; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; distance:0; content:" code="; within:6; distance:1; content:"Java.class"; within:10; distance:1; content:">"; within:1; distance:1; content:"<param name="; distance:0; content:"name"; within:4; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26351; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT TDS redirection - may lead to exploit kit"; flow:to_server,established; content:"/count"; http_uri; content:".php"; within:4; distance:2; http_uri; pcre:"/\/count\d{2}\.php$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26350; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit obfuscated portable executable"; flow:to_client,established; content:"filename=setup.exe"; fast_pattern:only; http_header; file_data; content:"|8B 7F AA 11 CE 52 0A 3D 76|"; depth:9; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26349; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit java exploit delivery"; flow:to_client,established; file_data; content:"Application.class"; content:"Fazan.class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26348; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload requested"; flow:to_server,established; urilen:8; content:".html"; http_uri; content:" Java/1"; fast_pattern; http_header; pcre:"/\/\d{2}\.html$/U"; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26346; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?h="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?h\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26345; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; distance:0; content:" code="; within:6; distance:1; content:"Application.class"; within:17; distance:1; content:">"; within:1; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26344; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"id="; content:"swf_id"; within:6; distance:1; content:"<param name="; distance:0; content:"Play"; within:4; distance:1; content:" value="; within:7; distance:1; content:"0"; within:1; distance:1; content:"><embed src="; distance:1; content:"http|3A 2F 2F|"; within:8; distance:1; content:".swf"; pcre:"/[a-z0-9]{32}\.(?:jar|swf)/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26343; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<div class="; content:"retwretrewt"; within:11; distance:1; content:">|3A|)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26342; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"<applet name="; content:" code="; within:100; content:" archive="; within:100; content:"http|3A 2F 2F|"; within:50; content:".jar"; distance:0; content:" codebase="; distance:0; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26341; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval - ff.php"; flow:to_server,established; urilen:>16; content:"/ff.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/ff\.php/U"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26339; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr injection detection - leads to exploit kit"; flow:to_client,established; file_data; content:"}catch(gdsg"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26338; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"prototype|3B|}catch("; content:".substr"; within:50; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26337; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit redirection page"; flow:to_client,established; file_data; content:"<frame marginwidth=0 marginheight=0 frameborder=0 name=|22|TOPFRAME|22|"; fast_pattern:only; content:"index.php?id="; content:"noresize>"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:26323; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit redirection page"; flow:to_client,established; file_data; content:"var"; content:"=|22|pdf|22|"; within:25; content:"location.href="; within:250; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26297; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|"; within:50; content:"|22| name=|22|"; within:50; content:"<param name=|22|"; within:20; distance:5; content:"|22| value=|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26296; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"EXPLOIT-KIT Sakura exploit kit exploit request"; flow:to_server,established; content:"/news/thing.php"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26293; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<object classid=|22|clsid|3A|8AD9C840-044E-11D1-B3E9-00805F499D93|22| codebase=|22|"; fast_pattern:only; content:"<param NAME=|22|ARCHIVE|22| VALUE=|22|"; metadata:service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26253; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code=|22|"; content:".class|22| archive=|22|"; distance:0; content:".jar|22| width=|22|1|22| height=|22|1|22|><param name=|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2010-0188; reference:cve,2012-1723; reference:cve,2012-5076; reference:cve,2013-0422; classtype:trojan-activity; sid:26252; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<applet  archive=|22|"; content:"|22|  code=|22|"; within:25; content:".class|22|"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26233; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<script>p=parseInt|3B|ss=String|3B|asgq="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26232; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/q\.php/U"; content:!"siteadvisor.com"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26227; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"navigator.javaEnabled()"; content:"document.write(|27|"; within:100; content:"<script src=|22|"; distance:0; pcre:"/\.js\/\?[a-z]+\=[a-z]{1,4}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26226; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"<applet archive=|27|http|3A 2F 2F|"; content:"|27| code=|27|JHelper|27| width=|27|"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26100; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"if (navigator.appName == |27|Microsoft Internet Explorer|27|) {"; content:"document.write(|27|<applet archive=|22|http|3A|//"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26099; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"try{}catch("; content:"}try{"; within:50; content:"}catch("; within:50; content:"|3B|n=|5B|"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26096; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"|3D 5B|0x9,0x9,0x2f,0x2a,0x2a,0xa,0x9,0x9,0x20,0x2a,0x20,"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26095; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:".class|22| width=|22|10|22| height=|22|9|22|>|0D 0A|<param value=|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26094; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22 20|code=|22|"; within:25; content:"|22 20|name=|22|"; within:25; content:"|22|>|0D 0A|<param name=|22|"; within:25; content:"|22 20|value=|22|http|3A 2F 2F|"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:26090; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - setup"; flow:to_server,established; content:".php?setup=d&s="; fast_pattern:only; http_uri; pcre:"/\.php\?setup=d\&s=\d+\&r=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26045; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - redirection attempt"; flow:to_server,established; content:".php?action=jv&h="; fast_pattern:only; http_uri; pcre:"/\.php\?action=jv\&h=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26044; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/Instal.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26043; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - stats loaded"; flow:to_server,established; content:".php?action=stats_loaded"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26042; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/x4.gif"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26041; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/Plugin.cpl"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26040; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; content:"/jmx.jar?r="; fast_pattern:only; http_uri; pcre:"/^\/jmx.jar?r=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26039; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; content:"/jhan.jar?r="; fast_pattern:only; http_uri; pcre:"/^\/jhan.jar?r=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26038; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java Exploit"; flow:to_server,established; content:"/amor"; fast_pattern; http_uri; content:".jar"; within:6; http_uri; content:" Java/"; http_header; pcre:"/^\/amor\d{0,2}\.jar/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - java on"; flow:to_server,established; content:".php?action=stats_javaon"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26035; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - stats access"; flow:to_server,established; content:".php?action=stats_access"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26034; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit iframe redirection attempt"; flow:to_client,established; file_data; content:"try{"; content:"++}catch("; within:15; content:"{try{"; within:20; content:"}catch("; within:20; content:"=|22|"; within:50; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26033; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<head><title></title></head><body><object WIDTH=|22|"; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26031; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit redirection page received"; flow:to_client,established; file_data; content:"+=|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22 3B|}catch(e){var"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:26013; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"/332.jar|22| code=|22|"; content:"/887.jar|22| code=|22|"; distance:0; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25989; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><td><h1>Loading... Please Wait.</h1></td><script>document.write("; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25988; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit three number PDF Request"; flow:to_server,established; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25972; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit malicious payload retrieval"; flow:to_server,established; content:"/i8.php?jquery="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25824; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V5 exploit download"; flow:to_server,established; content:"/j15.php?i="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25823; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit malicious PDF retrieval"; flow:to_server,established; content:"/p5.php?t="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25822; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit possible plugin detection attempt"; flow:to_server,established; content:"/js/rdps.js"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25821; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure"; flow:to_client,established; file_data; content:"<title>Please Wait...</title></head><body><script>function"; fast_pattern:only; content:"<html><head>"; depth:12; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:25808; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Whitehole exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code"; content:".jar?java="; distance:0; content:"width="; within:15; content:"<param name="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25806; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval"; flow:to_server,established; content:"/Java"; http_uri; content:".jar?java="; http_uri; pcre:"/\/Java([0-9]{1,2})?\.jar\?java=[0-9]{2}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25805; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit malicious jar download attempt"; flow:to_server,established; content:"?java="; fast_pattern:only; http_uri; pcre:"/\?java\=[0-9]{2,6}$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file dropped"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"BurkinoGoso.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25803; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit encoded portable executable request"; flow:to_server,established; urilen:>40; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[0-9]{7,10}$/U"; metadata:service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25802; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar file request"; flow:to_server,established; urilen:>40; content:".jar"; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25801; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit Javascript request"; flow:to_server,established; urilen:>40; content:"/Qm"; http_uri; content:".js"; distance:0; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/Qm[a-zA-Z0-9]+\/[a-z]+\.js$/U"; metadata:service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25800; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit pdf request"; flow:to_server,established; urilen:>40; content:".pdf"; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25799; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit 32-alpha jar request"; flow:to_server,established; flowbits:isset,java_user_agent; urilen:>36; content:"GET"; http_method; content:".jar"; nocase; http_uri; content:" Java/1"; http_header; pcre:"/\/[a-zA-Z0-9]{32}\.jar/U"; flowbits:set,file.exploit_kit.jar; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25798; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/news.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25611; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<script>try"; content:"}catch("; within:50; content:"}try{if("; within:50; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25591; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>"; fast_pattern:only; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25590; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<PARAM VALUE=|22|"; content:"|22| NAME=|22|CODE|22|><PARAM NAME=|22|ARCHIVE|22| VALUE=|22|"; within:50; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25569; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/q\.php/U"; content:!"siteadvisor.com"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT JDB exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width=|27|0px|27| height=|27|0px|27| code=|22|"; content:"|22| archive=|22|data"; within:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25561; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT JDB exploit kit landing page"; flow:to_client,established; file_data; content:"setTimeout(|22|alert(|27|Adobe Flash must be updated to view this, please install the latest version!|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25560; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT JDB exploit kit landing page retrieval"; flow:to_server,established; urilen:>33; content:"/jdb/inf.php?id="; fast_pattern:only; http_uri; pcre:"/\/jdb\/inf\.php\?id=[a-f0-9]{32}$/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25559; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection"; flow:to_client,established; file_data; content:"{ var"; content:"= document.createElement(|27|iframe|27|)|3B|"; content:".src = |27|http|3A 2F 2F|"; content:"|27 3B| "; distance:0; content:".style.position = |27|absolute|27 3B|"; distance:0; content:".style.border = |27|0|27 3B| "; distance:0; content:".style.height = |27|1px|27 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:25558; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Red Dot executable retrieval attempt"; flow:to_server,established; content:"/load.php?guid="; nocase; http_uri; content:"&thread="; distance:0; nocase; http_uri; content:"&exploit="; distance:0; nocase; http_uri; content:"&version="; within:9; distance:1; nocase; http_uri; content:"&rnd="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25540; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Red Dot java retrieval attempt"; flow:to_server,established; urilen:6; content:"/"; http_uri; content:".jar"; within:4; distance:1; http_uri; pcre:"/\/\[fx]\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25539; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Red Dot landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|"; within:12; distance:1; content:"width=|22|100|22| height=|22|100|22|>"; within:50; content:"<param name|22|guid"; content:"|22| value=|22|"; within:10; content:"<param name=|22|thread"; content:"|22| value=|22|"; within:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25538; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|22 2A|"; depth:2; content:"s"; within:1; distance:2; content:"|27|"; within:1; distance:3; metadata:policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html; classtype:trojan-activity; sid:25391; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h1>Open your server</h1>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25390; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<applet  archive=|22|"; content:"|22|  code=|22|"; within:15; distance:5; content:".class|22|  width=|22|"; within:30; distance:5; content:"|22| height=|22|"; within:25; content:"<param"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25389; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/public_version.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25388; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - readme.exe"; flow:to_client,established; content:"filename="; http_header; content:"readme.exe"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25387; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - about.exe"; flow:to_client,established; content:"filename="; http_header; content:"about.exe"; within:10; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25386; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - calc.exe"; flow:to_client,established; content:"filename="; http_header; content:"calc.exe"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25385; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.exe"; flow:to_client,established; content:"filename="; http_header; content:"contacts.exe"; within:13; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25384; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.exe"; flow:to_client,established; content:"filename="; http_header; content:"info.exe"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25383; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit malicious jar archive download"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"hw.classPK"; fast_pattern:only; content:"test.classPK"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25302; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirect to malicious java archive attempt"; flow:to_client,established; file_data; content:"|3C|applet archive|3D 22 2F|read|2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25301; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe name="; content:"=auto frameborder=no align=center height=2 width=2 src=http|3A|//"; within:75; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25255; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit portable executable download request"; flow:to_server,established; content:" Java/"; http_header; content:"&h=11"; fast_pattern:only; http_uri; pcre:"/\&h=11$/U"; flowbits:set,file.pe.styx; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25140; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:75<>98; content:".eot"; fast_pattern:only; http_uri; pcre:"/\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.eot$/U"; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25139; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit pdf outbound connection"; flow:to_server,established; urilen:75<>98; content:".pdf"; fast_pattern:only; http_uri; pcre:"/\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.pdf$/U"; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25138; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>150; content:".jar"; fast_pattern:only; http_uri; content:!"Cookie"; nocase; http_header; pcre:"/\/[a-zA-Z0-9]{4,10}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25137; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection"; flow:to_server,established; urilen:>100; content:"/pdfx.html"; fast_pattern:only; http_uri; pcre:"/\/pdfx\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25136; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit outbound class retrieval"; flow:to_server,established; content:"Runs.class"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25053; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit requested - 3 digit"; flow:to_server,established; urilen:8; content:".jar"; http_uri; pcre:"/\x2f\d{3}\.jar/U"; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25052; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:".jar|22| code=|22|Runs.class|22|><param "; fast_pattern:only; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25051; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit PDF Library exploit download"; flow:to_server,established; content:"/lpdf.php?i="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25048; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V7 exploit download"; flow:to_server,established; content:"/j17.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25047; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V6 exploit download"; flow:to_server,established; content:"/j16.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25046; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Collocation"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:25044; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit url structure detected"; flow:to_server,established; content:".php?"; http_uri; content:"|3A|"; within:7; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"&"; distance:0; pcre:"/\.php\?[a-z]{2,8}=[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\&[a-z]{2,8}=/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25043; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit"; flow:to_client,established; flowbits:isset,java_user_agent; content:!"FTB_Launcher.exe"; nocase; http_header; content:"filename="; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cve-2012-5076-massively-adopted.html; classtype:trojan-activity; sid:25042; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Java User-Agent flowbit set"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:"Java/1."; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; flowbits:set,java_user_agent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25041; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound connection"; flow:to_server,established; content:"/build/agrde/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24979; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound payload request"; flow:to_server,established; content:".php?j=1&k="; fast_pattern:only; http_uri; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24978; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound connection attempt"; flow:to_server,established; content:"/build2/serge/opafv.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,urlquery.net/search.php?q=build2%2Fserge&type=string&start=2012-11-22&end=2012-12-07&max=50; reference:url,www.malwaredomainlist.com/mdl.php?search=build2%2Fserge&colsearch=Domain&quantity=50&inactive=on; classtype:trojan-activity; sid:24977; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"{if(typeof"; content:"))|3B|}}return this|3B|}"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:24888; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24865; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24864; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24863; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24862; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>"; within:11; metadata:service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24861; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>"; within:11; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24860; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit outbound JAR download attempt"; flow:to_server,established; content:"?s="; http_uri; content:"&m="; within:3; distance:1; http_uri; pcre:"/^\x2f[A-Za-z0-9]{33}\?s=\d\&m=\d$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:24841; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - JAR redirection"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|"; within:12; distance:6; content:"|22| width|3D 22|"; within:12; distance:9; content:"|22| height|3D 22|"; within:12; content:"|0D 0A|<param"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24840; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Blob"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24839; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/org.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:24797; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/net.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:24796; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/edu.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:24795; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/com.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:24794; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit Java Class download"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"GondadGondadExp.class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; reference:url,urlquery.net/report.php?id=222114; classtype:trojan-activity; sid:24793; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit Portable Executable download"; flow:to_client,established; content:" filename="; http_header; content:".exe|0D 0A|"; distance:0; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24791; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Portable Executable request"; flow:to_server,established; content:"load.php?e=u"; http_uri; content:"&token="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24790; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit PDF Exploit download attempt"; flow:to_client,established; content:"application/pdf"; http_header; content:"Content-Disposition|3A| inline|3B| filename=p50"; http_header; content:".pdf|0D 0A|"; distance:0; http_header; pcre:"/filename=p50[a-z0-9]{9}[0-9]{12}\.pdf/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24789; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit PDF Exploit request structure"; flow:to_server,established; content:"p3.php?t=u"; http_uri; content:"&oh="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24788; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit download"; flow:to_client,established; content:" filename="; http_header; content:".jar|0D 0A|"; distance:0; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24787; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"j.php?t=u"; http_uri; content:"content-type"; http_header; content:"x-java-archive|0D 0A|"; distance:0; http_header; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24786; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit possible redirection attempt"; flow:to_server,established; content:"/i.php?token="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24785; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24670; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24669; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24668; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24667; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/column.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24638; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24637; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure"; flow:to_server,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; fast_pattern:only; metadata:service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24636; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt"; flow:to_server,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; fast_pattern:only; metadata:service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24608; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page received - specific structure"; flow:to_client,established; file_data; content:"<html><head><title></title></head><body><div "; depth:60; pcre:"/body\x3e\x3cdiv\s[a-z]{3}\x3d\x22[a-z]{3}\x22/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24593; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"try{"; within:20; nocase; content:"}catch("; within:20; nocase; content:"try{"; within:20; content:"}catch("; within:20; content:"=window["; within:100; nocase; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24548; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"try{"; within:20; nocase; content:"}catch("; within:20; nocase; content:"try{"; within:20; content:"}catch("; within:20; content:"=new Array("; within:100; nocase; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24547; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; content:"/bhadmin.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; content:"/bhadmin.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit fallback executable download"; flow:to_server,established; content:"/adobe/update_flash_player.exe"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:"<script"; nocase; content:"|3D 22|constructor|22 3B|var|20|"; distance:0; fast_pattern; nocase; content:"|27 3B|var appVersion_var|3D 22|"; distance:0; nocase; content:"].apply(document_body_var,["; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,jsunpack.jeek.org/?report=bf7e015d53808a6e94365139395d4d29e5d41840; classtype:trojan-activity; sid:24344; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?setup="; nocase; http_uri; content:"&s="; distance:0; nocase; http_uri; content:"&r="; distance:0; nocase; http_uri; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?setup="; nocase; http_uri; pcre:"/setup=[a-z]$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?action="; nocase; http_uri; content:"&h="; distance:0; nocase; http_uri; pcre:"/\&h=\d{5}$/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write("; within:30; content:"php?"; within:75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page Received"; flow:to_client,established; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{10,64}&[a-z]{2,12}=.*?&[a-z]{2,12}=/"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24228; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090"; within:10; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++"; within:20; nocase; content:"}catch("; within:10; nocase; content:"}catch("; within:50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|"; within:20; content:".jar"; within:20; content:"<param/nam="; within:20; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - fewbgazr catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"fewbgazr"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/fewbgazr([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23962; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - hwehes"; flow:to_client,established; file_data; content:"hwehes"; fast_pattern:only; pcre:"/hwehes[a-z0-9]{15,22}hwehes/smi"; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,jsunpack.jeek.org/dec/go?report=b50c0b809c0decade20f7f8a18116d1bdc9cd179; classtype:trojan-activity; sid:23850; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"?page="; fast_pattern:only; http_uri; pcre:"/\?page\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"profile.php?woman="; http_uri; pcre:"/profile\.php\?woman\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; metadata:impact_flag red, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23848; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page request - tkr"; flow:to_server,established; content:".php?"; http_uri; content:"src="; distance:0; http_uri; content:"&gpr="; distance:0; http_uri; content:"&tkr="; distance:0; fast_pattern; http_uri; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/U"; metadata:policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch broken"; flow:to_client,established; file_data; content:"totype"; content:"}catch("; distance:0; pcre:"/totype(\x22|\x27)([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,labs.sucuri.net/?malware; classtype:attempted-user; sid:23619; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page Requested - 8Digit.html"; flow:to_server,established; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,kit.redkit; flowbits:noalert; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and code"; flow:to_client,established; file_data; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; metadata:policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23223; rev:7;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; fast_pattern:only; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit Jar File Naming Algorithm"; flow:to_client,established; content:"Content-Disposition: inline"; nocase; http_header; content:".jar"; fast_pattern; http_header; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; within:2; metadata:policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23221; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit Requested - 5 digit jar"; flow:to_server,established; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit request to .class file"; flow:to_server,established; content:".class"; http_uri; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit Repeated Exploit Request Pattern"; flow:to_server,established; content:"images.php?t="; fast_pattern:only; http_uri; pcre:"/^images.php\?t=\d{2,7}$/U"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,labs.snort.org/docs/23218.txt; classtype:trojan-activity; sid:23218; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<h"; nocase; content:"><b>Please wait a moment. You will be forwarded.."; within:54; distance:1; nocase; content:"</h"; within:10; content:"></b>|0D 0A|"; within:7; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch("; distance:0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear Pack exploit kit binary download"; flow:to_server,established; urilen:47; content:"/g/"; depth:3; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23157.txt; classtype:trojan-activity; sid:23157; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Nuclear Pack exploit kit landing page"; flow:to_server,established; urilen:43; content:"/index.php?"; fast_pattern:only; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/U"; metadata:policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23156.txt; classtype:bad-unknown; sid:23156; rev:9;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|"; fast_pattern; content:"<param name=|22|WINDOWS|22| value="; distance:0; nocase; content:"<param name=|22|OSX|22| value="; distance:0; nocase; content:"<param name=|22|LINUX|22| value="; distance:0; nocase; content:"<param name=|22|64|22| value="; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:23106; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"src.php?case="; http_uri; pcre:"/src.php\?case\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t="; distance:0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; fast_pattern:only; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; fast_pattern:only; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Phoenix exploit kit post-compromise behavior"; flow:to_server, established; content:"Accept-Encoding: identity, *|3B|q=0"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.0|3B| Windows 98)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; reference:url,contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; classtype:successful-user; sid:21860; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=JavaSignedApplet"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-3552"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-0842"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-0842Helper"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-90-2010-0188"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-80-2010-0188"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-2010-2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call attempt"; flow:to_server,established; content:".php?e=Adobe-2010-1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-2008-2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Java exploit kit iframe drive by attempt"; flow:to_client,established; file_data; content:"function(p,a,c,k,e,d){e=function(c)"; nocase; content:"morale.class"; distance:0; nocase; metadata:service http; reference:cve,2011-3544; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+ThreatBlog%29; classtype:attempted-user; sid:21668; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page Requested - /Index/index.php"; flow:to_server,established; content:"/Index/index.php"; http_uri; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive="; distance:0; content:"code="; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\(\w{3}\)/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21646; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Phoenix exploit kit landing page"; flow:to_client,established; file_data; content:"String.fromCharCode"; nocase; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; fast_pattern:only; content:".jar|27|"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; classtype:attempted-user; sid:21640; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - BBB"; flow:to_client,established; file_data; content:"<h2>BBB loading to show your URGENT complain status.</h2>"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21581; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please  Wait....  </h1>"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:7;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit logo transfer"; flow:to_client, established; flowbits:isset,file.jpeg; file_data; content:"|FB 27 68 DE 2D D6 BF E0 AC BF B5 82 78 7B 5C F0|"; content:"|AE 6E 3C CD EE AE BF 33 F5 0F 58 D5 2D 74 3D 2A|"; distance:0; content:"|04 67 82 31 5F 1F 7F C1 62 A7 D4 EC FC 71 FB 31|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:string-detect; sid:21510; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21492; rev:20;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code="; nocase; content:"|20|archive="; distance:0; nocase; content:"display|3A|none|3B|"; distance:0; nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red, ruleset community, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - search.php?page="; flow:to_server, established; content:"/search.php?page="; http_uri; pcre:"/search\.php\?page=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - .php?page="; flow:to_server, established; content:".php?"; http_uri; pcre:"/\.php\?[^=]+?=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21347; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit malicious jar download"; flow:to_client, established; flowbits:isset,blackhole.jar; content:"nginx"; http_header; content:"application/java-archive"; fast_pattern:only; http_header; file_data; content:"Main.class"; content:"Main.classPK"; distance:0; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21346; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit malicious jar request"; flow:to_server, established; content:"content/rin.jar"; fast_pattern:only; http_uri; flowbits:set,blackhole.jar; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21345; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; content:"application/pdf"; fast_pattern:only; http_header; file_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; content:"adp"; fast_pattern; http_uri; content:".php?"; within:5; distance:1; nocase; http_uri; pcre:"/adp\d?\.php\?[fe]=/U"; flowbits:set,blackhole.pdf; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; fast_pattern:only; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:4;)
# alert tcp any $HTTP_PORTS -> any any (msg:"EXPLOIT-KIT Blackhole exploit kit control panel access"; flow:to_client, established; file_data; content:"charset=utf-8|22|/><title>Blackhole v."; pcre:"/[\d\.]+</title>/R"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:policy-violation; sid:21141; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT unknown exploit kit obfuscated landing page"; flow:to_client, established; file_data; content:"[]]}|7C|}{$$$$]}$]]}]]$|7C|$}$]$+]}]/$/]/${$$]$]]]]])$)$|7C|]/$+"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,vrt-blog.snort.org/2012/02/exploit-kit-was-sent-to-you.html; classtype:attempted-user; sid:21108; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; content:"/pdf.php?pdf="; http_uri; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; fast_pattern:only; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; content:"/load.php?spl="; http_uri; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK"; pcre:"/<title>CRiMEPACK [\d\.]+</title>/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; content:"load.php?spl="; fast_pattern:only; http_uri; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; content:"?spl=2"; fast_pattern:only; http_header; content:"/pdf.php"; http_uri; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; content:"?spl="; fast_pattern:only; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; fast_pattern:only; pcre:"/(,\d{1,3}){20}/"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; fast_pattern:only; pcre:"/(#\d{1,2}){20}/"; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit post-compromise download attempt - .php?e="; flow:to_server, established; content:".php?e="; http_uri; pcre:"/\/[a-z]\.php\?e=[\da-f]+&f=[\da-f]+$/U"; metadata:impact_flag red, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21043; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit post-compromise download attempt - .php?f="; flow:to_server, established; content:".php?f="; http_uri; pcre:"/\/[a-z]\.php\?f=[\da-f]+&e=[\da-f]+$/U"; metadata:impact_flag red, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21042; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - main.php?page="; flow:to_server, established; content:"/main.php?page="; http_uri; pcre:"/main\.php\?page=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21041; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI - w.php?f="; flow:to_server,established; content:"/w.php?f="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file-scan/report.html?id=52d5b9afeb36a048f139923e57fa3ba0fa6d0f02f8ceb1224ac834ca72932584-1323095217; classtype:trojan-activity; sid:20669; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI - /content/v1.jar"; flow:to_server,established; content:"/content/v1.jar"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file-scan/report.html?id=52d5b9afeb36a048f139923e57fa3ba0fa6d0f02f8ceb1224ac834ca72932584-1323095217; classtype:trojan-activity; sid:20668; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; content:"/stat2.php?w="; nocase; http_uri; content:"i="; distance:0; nocase; http_uri; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/file-scan/report.html?id=567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373-1318617183; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared"; flow:to_client,established; content:"filename="; http_header; content:"mp3"; within:25; http_header; content:"|0D 0A|"; within:4; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27005; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze="; distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:service http; classtype:trojan-activity; sid:27110; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27109; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; content:"filename="; http_header; content:"exe"; within:25; nocase; http_header; content:"|0D 0A|"; within:4; http_header; file_data; content:"PK"; content:".class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27108; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27107; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27106; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var "; fast_pattern; content:"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3B 0A|document.body.appendChild("; within:65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn"; flow:to_server,established; content:"/rhino/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27084; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn"; flow:to_server,established; content:"/jmxbean/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27083; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn"; flow:to_server,established; content:"/flash_atf/"; fast_pattern; http_uri; content:".swf"; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-1535; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27082; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn"; flow:to_server,established; content:"/ie_exec/2.html"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-4969; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27081; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn"; flow:to_server,established; content:"/ff_svg/1.bin"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0757; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27080; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page stage 2"; flow:to_client,established; file_data; content:"global_exploit_list[exploit_idx].resource"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27079; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<html > <head > <title > Loading"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27078; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27072; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27071; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious portable executable download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"c|3A 5C|Soft|5C|cebhlpod.txt"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27069; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Tretre.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27068; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(qwqw){"; fast_pattern:only; metadata:service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27067; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<link href=|27|"; content:".css|27| rel=|27|stylesheet|27|><link href=|27|"; within:100; content:"{a={plugins|3A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27026; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"|27| value=|27|JTIw"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27143; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"<html><head><script type=|27|text/javascript|27| src=|22|js/PluginDetect.js|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27142; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09|    var"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit numerically named exe file dowload"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:4; distance:4; http_header; pcre:"/filename\=\d{4}\.exe$/H"; metadata:policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"counter.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:27242; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page detected"; flow:to_client,established; file_data; content:"<OBJECT CLASSID=|22|clsid|3A|5852F5ED-8BF4-11D4-A245-0080C6F74284|22| width=|22|1|22| height=|22|1|22|><PARAM name=|22|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27241; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"/rhino.php?hash="; fast_pattern:only; http_uri; content:"content-type"; http_header; content:"java-archive"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27274; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit iframe redirection"; flow:established,to_client; file_data; content:"<iframe style=|22|position|3A|fixed|3B|top|3A|0px|3B|left|3A|-550px|3B 22| src="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27273; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer toolkit injected iframe detected - specific structure"; flow:to_client,established; file_data; content:"}catch(dgsgsdg"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27271; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"try{++((document.body))}catch(va){if("; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27603; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:" = jref[ind](nip[|22|charAt|22|](i))|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27602; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit successful Java exploit"; flow:to_server,established; content:"?id="; http_uri; content:"&text="; distance:0; fast_pattern; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27697; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:"</title>|0A|</head>|0A|<body>|0A|<script src="; content:"jquery.js"; within:9; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27696; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:".jnlp|22| /><param name=|22 27|+"; content:"+|27|_embedded|22|"; content:".zip|22| width=|22|10|22|><param name=|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27695; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page"; flow:to_client,established; file_data; content:"position|3A|absolute|3B|top|3A|-1000px|3B|left|3A|-1000px|3B|text-indent|3A|-1000|3B|width|3A|1px|3B|height|3A|1px|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27715; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection injection"; flow:to_client,established; file_data; content:"<!--f04d6c0ecc742ce800a316c742197c6evdrd33vf5rmf60vx-->"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27713; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection injection"; flow:to_client,established; file_data; content:"<!--4db55aefd91c498bc4dd1eddca98a4b5lfvknc5uxdf4g3sa-->"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27712; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit possible jar download"; flow:to_client,established; flowbits:isset,file.jpeg|file.png|file.gif; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; metadata:service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27706; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/wmck.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27705; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/ckwm.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27704; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"ck_wm.indexOf(|22|linux|22|)<=-1"; content:"+expires.toGMTString()|3B|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27702; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Oracle Java Jar file downloaded when zip is defined"; flow:to_client,established; content:"filename="; http_header; content:".zip|0D 0A|"; distance:0; http_header; file_data; content:"PK"; depth:2; content:".class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26292; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Zip file downloaded by Java"; flow:to_server,established; content:".zip"; nocase; http_uri; content:" Java/1"; fast_pattern:only; http_header; flowbits:set,file.exploit_kit.jar; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:27741; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit redirection page"; flow:to_client,established; file_data; content:"|2A 2F|height=|22|"; content:"|22| code=|22|"; within:25; distance:1; content:".class|22| |2F 2A| "; distance:0; fast_pattern; content:".zip|22| width=|22|"; distance:0; content:"|22|><param name=|22|"; within:25; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27739; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<iframe style=|22|position|3A|fixed|3B|top|3A|"; content:"px|3B|left|3A|"; within:25; distance:1; content:"|22| height=|22|"; distance:0; content:"|22| width=|22|"; within:25; content:"></iframe>|27|"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27738; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - specific structure"; flow:to_client,established; file_data; content:"/*/0f2490*/"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27734; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - generic structure"; flow:to_client,established; file_data; content:"try|7B 3B 7D|catch("; content:"){try{"; within:30; metadata:policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27733; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit plugin detection page"; flow:to_client,established; file_data; content:"$(document).ready("; content:"=PluginDetect.getVersion,"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27783; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file download attempt"; flow:to_client,established; flowbits:isset,file.exploit_kit.jar; file_data; content:"PK"; depth:5; content:".class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27816; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit malicious redirection attempt"; flow:to_server,established; content:"/n.php?h="; content:"&s="; distance:0; http_uri; pcre:"/\x2fn\.php\?h=[a-zA-Z0-9]*?\&s=[a-zA-Z0-9]{1,5}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27815; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:7; content:"/i.html"; depth:7; fast_pattern; http_uri; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27814; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page with payload"; flow:to_client,established; file_data; content:"document.write(|27|<applet archive=|22|"; content:".jar|22| code=|22|"; within:50; content:"|22|><param value=|22|http|3A 2F 2F|"; content:!"|22|"; within:60; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27813; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit redirection"; flow:to_server,established; content:"/8jxtl5i/"; depth:9; http_uri; urilen:>63; pcre:"/\x2f\?[0-9a-f]{60,66}[\x3b\d]*$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27810; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:27907; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - readme.dll"; flow:to_client,established; content:"filename="; http_header; content:"readme.dll"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27898; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - calc.dll"; flow:to_client,established; content:"filename="; http_header; content:"calc.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27897; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.dll"; flow:to_client,established; content:"filename="; http_header; content:"contacts.dll"; within:13; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27896; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27895; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - about.dll"; flow:to_client,established; content:"filename="; http_header; content:"about.dll"; within:10; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27894; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2008-2992; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27893; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader"; flow:to_server,established; content:"/a.php?e=2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2008-2992; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27892; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit secondary payload"; flow:to_server,established; content:"/p1.exe"; fast_pattern:only; http_uri; content:"p1.exe HTTP/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27891; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit secondary payload"; flow:to_server,established; content:"/m1.exe"; fast_pattern:only; http_uri; pcre:"/\/m1\.exe$/U"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27890; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=900188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27889; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=800188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27888; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27887; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-1297; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27886; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/dl.exe"; fast_pattern:only; http_uri; content:"dl.exe HTTP/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Oracle Java"; flow:to_server,established; content:"/TobyClass.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27883; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player"; flow:to_server,established; content:"/a.php?e=2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27882; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player"; flow:to_server,established; content:"/a.php?e=1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-1297; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27881; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 9"; flow:to_server,established; content:"/a.php?e=900188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27880; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 8"; flow:to_server,established; content:"/a.php?e=800188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27879; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit landing page"; flow:to_client,established; file_data; content:"(z){h=|22|harCode|22 3B|f=["; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27878; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit landing page"; flow:to_client,established; file_data; content:"[|22|s|22|+|22|u|22|+|22|bs|22|+|22|t|22|+|22|r|22|]"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27877; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download"; flow:to_client,established; content:"Content-Type|3A 20|audio/mpeg"; fast_pattern:only; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27876; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit"; flow:to_client,established; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27875; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit outbound payload download attempt"; flow:to_server,established; content:".html1.zip"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27873; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page"; flow:to_client,established; file_data; content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px}</style><div>"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27866; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request"; flow:to_server,established; urilen:>32; content:".php"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/U"; content:!"PacketShaper"; http_header; content:!"siteadvisor.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit portable executable download"; flow:to_client,established; flowbits:isset,file.pe.styx; content:"filename="; http_header; content:".exe"; within:4; distance:11; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27936; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|"; within:15; content:".innerHTML.length|3B|"; content:"+=2)"; within:15; pcre:"/for\x28(?P<var>\w+)=0\x3b(?P=var)<(?P<var2>\w+)\.innerHTML.length\x3b(?P=var)\+=2\x29\x20\w+\+=\w+\x28(?P=var2)/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27935; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>notredkit<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27912; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>X2O<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27911; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit successful redirection"; flow:to_client,established; file_data; content:"<iframe src=|27|http|3A 2F 2F|"; content:"|3A|8509|2F|"; distance:0; fast_pattern; content:"|27| border=0 width="; distance:0; content:"height="; within:25; content:"scrolling=no></iframe>"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28038; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude/Popads/Nuclear exploit kit jnlp request"; flow:to_server,established; urilen:71; content:".jnlp"; http_uri; content:"User-Agent|3A 20|JNLP"; fast_pattern:only; http_header; pcre:"/^\/[a-z0-9]{32}\/[a-z0-9]{32}\.jnlp/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28029; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>250; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28028; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:28026; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - IFRAMEr injection tool"; flow:to_client,established; file_data; content:"p=parseInt|3B|ss=String|3B|asgq=|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28022; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"relay.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28021; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"rel.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"esd.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28019; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"count.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28018; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"cnt.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28017; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"clicker.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28016; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT g01pack exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe src=|22|http|3A 2F 2F|"; content:"|22| style=|22|border|3A|0px #FFFFFF none|3B 22| name=|22|test|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28015; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit post Java compromise download attempt"; flow:to_server,established; urilen:35; content:" Java/1."; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[0-9]$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28111; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt"; flow:to_server,established; urilen:70; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28109; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Adobe Flash exploit download attempt"; flow:to_server,established; urilen:70; content:".swf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28108; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana exploit kit redirection attempt"; flow:to_server,established; content:".js?cp="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{8}\.js\?cp\x3d/Umi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28138; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/JavaSignedApplet.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28199; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-3552.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28198; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-0842Helper.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28197; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-0842.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28196; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT X2O exploit kit post java exploit download attempt"; flow:to_server,established; urilen:13; content:"/blog/"; http_uri; content:" Java/1."; fast_pattern; http_header; pcre:"/^\/blog\/[a-zA-Z0-9]{3}\.(g(3|e)d|mm|vru|be|nut)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28195; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>Adikj<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28194; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection received"; flow:to_client,established; file_data; content:"<iframe src=|22|http|3A 2F 2F|"; content:"|3A|85|2F|"; within:30; content:"|22| width=|22|0|22|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28213; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kits malicious pdf download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pdf; file_data; content:"%PDF-"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28238; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt"; flow:to_server,established; content:".pdf"; fast_pattern; http_uri; content:"Referer|3A|"; http_header; pcre:"/\/[0-9a-f]{32}\/[0-9]{10}\.pdf$/U"; pcre:"/Referer\x3a.*?\.html\x0d\x0a/H"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28237; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude/Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"</adress><br>"; content:"<cite>"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28236; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28233; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28291; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page attempt"; flow:to_server,established; content:".php?catalogp="; fast_pattern:only; pcre:"/\.php\?catalogp\=\d{2}$/U"; content:"Referer"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28265; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit java compromise successful"; flow:to_server,established; content:".php?"; http_uri; content:"&special="; distance:0; http_uri; content:"&alert="; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28264; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=rhi"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28310; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=jre"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28309; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Adobe Reader compromise"; flow:to_server,established; content:".php?ex=ad"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:!"&os="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28308; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Himan exploit kit landing page"; flow:to_client,established; file_data; content:"if ((jver >= 600) && (jver < 627)) {"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-2465; reference:cve,2013-2551; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28307; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt"; flow:to_server,established; urilen:81; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28414; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt"; flow:to_client,established; file_data; content:"element.style.left=|27|-"; content:"px|27 3B|element.style.top=|27|-"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28413; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt"; flow:to_server,established; urilen:<25; content:".ld"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\.ld$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28450; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".ee"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.ee$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit zip file download"; flow:to_server,established; content:".zip"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+/\d\.zip$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28430; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt"; flow:to_server,established; urilen:15; content:".jnlp"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-z0-9]{9}\.jnlp$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28429; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Glazunov exploit kit landing page"; flow:to_client,established; file_data; content:"= |22|applet|22 3B 20|"; content:"= |22|object|22 3B 20|"; within:50; content:"=|27|param|27 3B 20|"; within:50; content:".zip|27 3B| </script>"; distance:0; pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28428; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; content:".tpl"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2551; classtype:trojan-activity; sid:28424; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit single digit exe detection"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:6; fast_pattern; http_header; pcre:"/filename=[\x22\x27]?\d\.exe[\x22\x27]?/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28423; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; fast_pattern; http_uri; pcre:"/^\/i.html\?[a-z0-9]{4}\x3D[a-z0-9]{15}/smiU"; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:125; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28478; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound pdf request"; flow:to_server,established; urilen:<25; content:".pdf"; http_uri; content:"/i.html?"; fast_pattern:only; http_header; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28477; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request by Java - generic detection"; flow:to_server,established; urilen:21<>39; content:":8000"; fast_pattern:only; http_header; content:" Java/1."; http_header; pcre:"/\/[a-z]+\?[a-z]+\=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28476; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:":8000/"; fast_pattern:only; http_header; content:"Referer"; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28475; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound plugin detection response - generic detection"; flow:to_server,established; urilen:<18,norm; content:"POST"; http_method; content:"Referer|3A|"; http_header; content:"|3A|8000/"; distance:0; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28474; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit payload download attempt"; flow:to_server,established; urilen:15; content:"/1"; depth:2; fast_pattern; http_uri; pcre:"/^\/1[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:!"Referer"; http_header; content:!"Host|3A| fb.me|0D 0A|"; http_header; metadata:service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28616; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit exploit download attempt"; flow:to_server,established; urilen:15; content:"/0"; depth:2; fast_pattern; http_uri; pcre:"/^\/0[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:"User-Agent|3A|"; http_header; content:!"Referer"; http_header; flowbits:set,file.exploit_kit.jar; flowbits:set,file.exploit_kit.silverlight; metadata:service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28615; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"type=|22|application/x-silverlight-2|22|"; content:"<param name=|22|source|22| value=|22|/0"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28614; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<title>|0D 0A 20 20|Microsoft apple.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28613; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Silverlight exploit download"; flow:to_client,established; flowbits:isset,file.exploit_kit.silverlight; file_data; content:"PK"; content:"AppManifest.xaml"; distance:0; content:".dll"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28612; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".rtf"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.rtf$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28611; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retreive attempt"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.doc$/U"; flowbits:set,file.sakura_kit; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:28610; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download"; flow:to_client,established; flowbits:isset,file.sakura_kit; file_data; content:"secretsecretsecretsecretsecretsecret"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28609; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit Atomic exploit download - specific-structure"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main-Class|3A| atomic.Atomic"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28608; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit payload request"; flow:to_server,established; urilen:24<>26,norm; content:"/f/"; fast_pattern:only; http_uri; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28596; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Oracle Java jar file retrieval"; flow:to_server,established; urilen:25<>26,norm; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d{9,10}\/1\d{9}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28595; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; urilen:26,norm; content:".tpl"; fast_pattern:only; http_uri; pcre:"/^\/\d{10}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28594; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28593; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit possibly malicious iframe embedded into a webpage"; flow:to_client,established; file_data; content:"name=Twitter scrolling=auto frameborder=no align=center height="; content:" width="; within:20; content:" src=http|3A 2F 2F|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28798; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt"; flow:to_client,established; file_data; content:"binkeybinkeybinkeybinkeybinkeybinkey"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,vrt-blog.snort.org/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28797; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT iFRAMEr successful cnt.php redirection"; flow:to_server,established; content:"/cnt.php?id="; fast_pattern:only; http_uri; content:"Referer|3A 20|"; http_header; pcre:"/^\/cnt\.php\?id=\d+$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,vrt-blog.snort.org/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28796; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0507; reference:url,vrt-blog.snort.org/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:":8000"; fast_pattern:only; http_header; content:"Referer"; http_header; pcre:"/\x2f[a-z]+\?[a-z]+=\d{6,7}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28911; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string"; flow:to_server,established; content:"/tx.exe"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28969; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound flash exploit retrieval attempt"; flow:to_server,established; content:"/fla.swf"; fast_pattern:only; http_uri; content:"x-flash-version|3A 20|"; http_header; pcre:"/Referer\x3a[^\n]*fla\.php\?wq=[a-f0-9]+\x0d\x0a/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28968; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection"; flow:to_server,established; urilen:>100; content:".php?hgfc="; fast_pattern:only; http_uri; pcre:"/\.php\?hgfc\=[a-f0-9]+$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28967; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound POST connection"; flow:to_server,established; content:"POST"; http_method; content:"hyt="; depth:4; http_client_body; content:"&vre="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT HiMan exploit kit Flash Exploit landing page"; flow:to_client,established; file_data; content:"flash_version != null && flash_version[0] < 116000"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28963; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit jar exploit download"; flow:to_server,established; content:".html?jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\.html\?jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit Silverlight plugin outbound connection attempt"; flow:to_server,established; content:"html?sv="; fast_pattern:only; http_uri; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29002; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SPL2 exploit kit landing page detection"; flow:to_client,established; content:"$$.getVersion(|22|Silverlight|22|)|3B|"; content:"$$.getVersion(|22|Java|22|)"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt"; flow:to_server,established; urilen:<16; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/\d{1,2}(?P<letter>[A-Z])\d{1,2}(?P=letter)\d{1,2}(?P=letter)\d{1,2}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29131; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload download attempt"; flow:to_server,established; urilen:13; content:" Java/1."; fast_pattern:only; http_header; pcre:"/^\/\d{4}\/\d{7}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29130; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar exploit download - specific structure"; flow:to_server,established; content:"/hanger.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29129; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29128; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit XORed payload download attempt"; flow:to_client,established; file_data; content:"|7C 68 A3 34 36 36 37 38 35 32 33 34 CA C9 37 38|"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/12/cve-2013-5329-or-cve-2013-5330-or.html; classtype:trojan-activity; sid:29066; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D 0A|"; fast_pattern:only; http_header; content:"filename="; http_header; content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_server,established; content:"/loadmsie.php?id="; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29166; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound jar request"; flow:to_server,established; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-f0-9]{32}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29165; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound flash request"; flow:to_server,established; content:".swf"; http_uri; content:"x-flash-version|3A|"; http_header; content:"Referer"; http_header; content:"flash.php?id="; distance:0; http_header; pcre:"/\/[a-f0-9]{32}\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29164; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound exploit request"; flow:to_server,established; content:".php?id="; http_uri; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=[a-f\d]{20}/iU"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29163; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request"; flow:to_server,established; urilen:34; content:"/?"; depth:2; fast_pattern; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header; content:!"Referer|3A|"; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29189; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit embedded open type font file request"; flow:to_server,established; urilen:37; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29188; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound pdf request"; flow:to_server,established; urilen:<27; content:".pdf"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^\/\d{8,11}\/1[34]\d{8}\.pdf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[\w_]{32,}\.html\r$/Hsm"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29187; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound connection"; flow:to_server,established; urilen:<28; content:"/1"; http_uri; content:".htm"; distance:0; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^(\/\d{8,11})?(\/\d)?\/1[34]\d{8}\.htm$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29186; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"nib|28 27|http|3A 2F 2F|"; content:".mp3|27 29 3B|"; within:25; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29361; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"4Um3S0Vm3"; depth:15; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29360; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:>100; content:".eot"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:!"|0D 0A|"; within:100; content:"/fnts.html"; distance:0; http_header; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29453; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; http_uri; pcre:"/\/i\.html\?[a-z0-9]+\=[a-zA-Z0-9]{25}/U"; flowbits:set,styx_landing; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29452; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound connection attempt"; flow:to_server,established; content:"/?id=ifrm"; fast_pattern:only; http_header; content:"/?"; depth:2; http_uri; pcre:"/\/\?[a-z0-9]{9}\=[a-zA-Z0-9]{45}/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29450; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; flowbits:isset,styx_landing; file_data; content:"<textarea id=|22|"; content:"|22|>"; within:10; isdataat:300,relative; content:!"</textarea>"; within:300; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29449; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<app|27|+|27|let archive=|22|"; content:".jar|22| code=|22|"; distance:0; content:"<param val|27|+|27|ue=|22|http|3A 2F 2F|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29448; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download - scandsk.exe"; flow:to_client,established; content:"attachment|3B|"; http_header; content:"scandsk.exe|0D 0A|"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:29447; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>100; content:".jar"; fast_pattern:only; http_uri; content:"Cookie"; http_header; content:!"|0D 0A|"; within:100; content:" Java/1"; http_header; pcre:"/\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29446; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit fonts download page"; flow:to_server,established; content:"/fnts.html"; fast_pattern:only; http_uri; pcre:"/\/fnts\.html$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29445; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download"; flow:to_client,established; content:"flashplayer11_"; http_header; file_data; content:"MZ"; depth:2; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29444; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit outbound connection attempt"; flow:to_server,established; urilen:>70; content:"User-Agent|3A|"; http_header; content:"/"; depth:2; offset:8; http_uri; content:!"&"; http_uri; content:!"details"; http_uri; content:!"weather"; http_uri; content:!"texture"; http_uri; content:!"mailing"; http_uri; content:!"captcha"; http_uri; content:!"/counters/"; http_uri; content:!"/results/"; http_uri; pcre:"/^\/\/?[a-z0-9_]{7,8}\/\??[0-9a-f]{60,68}[\x3b\x2c\d+]*$/U"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.silverlight&file.exploit_kit.flash; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:29443; rev:14;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|7D 6B F8 64 76 74 6E 66|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29414; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E F2 32 30 34 6E 68|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29413; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit Java download attempt"; flow:to_server,established; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_-]{48}$/Ui"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29412; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"navigator.userAgent.indexOf(|27|Firefox|27|)>=0|7C 7C|navigator.userAgent.indexOf(|27|MSIE|27|)>=0))"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29411; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older"; flow:to_server,established; content:".php?a=h7"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30009; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP"; flow:to_server,established; content:".php?a=h6"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30008; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17 "; flow:to_server,established; content:".php?a=h5"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30007; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP"; flow:to_server,established; content:".php?a=h4"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30006; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17"; flow:to_server,established; content:".php?a=h3"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30005; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17"; flow:to_server,established; content:".php?a=h2"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30004; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit Java download attempt"; flow:to_server,established; content:".php?a=r"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30002; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected"; flow:to_client,established; file_data; content:"document.createElement(|22|iframe|22|)"; fast_pattern:only; content:".width"; content:".height"; content:".style.visibility"; within:50; content:".php"; within:300; content:".appendChild("; within:500; pcre:"/var\s(?P<name>\w+)\s?=\s?document\.createElement\x28\x22iframe\x22\x29.*?(?P=name)\.style\.visibility.*?(?P=name)\.src\s?=\s?[\x22\x27][^\x22\x27]*\.php.*?\.appendChild\x28(?P=name)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30001; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload delivery - specific string"; flow:to_client,established; content:"filename="; http_header; content:"very.mhh"; within:12; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30134; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"frameborder=|22|NO|22| framespacing=|22|0|22| border=|22|0|22|><frame name="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30133; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(?:\/\d)?\/1[34]\d{8}(?:\/\d{9,10})?(?:\/\d)+[^a-zA-Z]{1,6}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30220; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound jar request"; flow:to_server,established; content:"/1"; http_uri; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^(?:\/\d{9,10})?(?:\/\d)?\/1[34]\d{8}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30219; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit Oracle Java file download"; flow:to_client,established; content:"filename="; nocase; http_header; content:"FlashPlayer.jar"; within:17; fast_pattern; http_header; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\?rnd=\d+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30319; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"<html><th>Wait Please...</th><body>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30317; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:".xml|22| name=|22|jnlp_href|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30316; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT WhiteLotus exploit kit plugin outbound detection"; flow:to_server,established; urilen:32; content:"POST"; http_method; content:"v="; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"&w="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30312; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SofosFO/Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30306; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:>32; content:" Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9]){32}[\/_]*?\/\d+?$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30768; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:66; content:" Java/1."; http_header; pcre:"/^\/(?:[a-f0-9]{32}\/[a-f0-9]{32})$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30767; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit landing page"; flow:to_client,established; file_data; content:"<EMBED code="; content:"archive=|22|http|3A 2F 2F|"; distance:0; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\x22/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30766; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - base64 encoded xml/jnlp statement"; flow:to_client,established; file_data; content:"Cjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+CjxqbmxwIHNwZWM9IjEuMCIgeG1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30852; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java"; flow:to_server,established; urilen:<50,norm; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\d+\.mp3$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30878; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound PDF request"; flow:to_server,established; content:".pdf"; http_uri; content:"/1/1"; fast_pattern:only; http_uri; content:".html"; http_header; pcre:"/^\/\d{9,10}\/1\/1\d{9}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30937; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure"; flow:to_server,established; content:".php?req="; fast_pattern; nocase; http_uri; content:"&PHPSSESID="; distance:0; http_uri; pcre:"/\.php\?req=(?:x(?:ap|ml)|swf(IE)?|mp3|jar)\&/Ui"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30936; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|3A|stroke id="; fast_pattern:only; content:"|3B|function pop(koz)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30935; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|89 B4 F4 6A 24 1F 46 14|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30934; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; urilen:72; content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30920; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request"; flow:to_server,established; content:"/testi.jnlp"; content:" Java/1."; distance:0; metadata:impact_flag red, service http; classtype:trojan-activity; sid:30960; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"<script>"; content:"var "; within:4; distance:1; content:"|27|toString|27|"; distance:0; pcre:"/var\s+(?P<name>\w+)\=function\(.*?\x27\x2b(?P=name)\(\d+\x29/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30976; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"document.write"; content:"archive="; distance:0; content:".jar"; distance:0; pcre:"/\/[a-f0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30975; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload request"; flow:to_server,established; content:"/load"; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/load(?:(?:db|rh|silver|msie|im|flash|fla[0-9]{4,5}))\.php/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Silverlight landing page"; flow:to_server,established; content:"/silver.php"; fast_pattern:only; http_uri; flowbits:set,critx_font; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30972; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Oracle Java landing page"; flow:to_server,established; content:"/java"; fast_pattern:only; http_uri; pcre:"/\/java(rh|db)\.php$/U"; flowbits:set,critx_java; metadata:service http; classtype:trojan-activity; sid:30971; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Adobe Flash landing page"; flow:to_server,established; content:"/flash201"; fast_pattern:only; http_uri; pcre:"/\/flash201(3|4)\.php$/U"; flowbits:set,critx_flash; metadata:service http; classtype:trojan-activity; sid:30970; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Internet Explorer landing page"; flow:to_server,established; content:"/msie.php"; fast_pattern:only; http_uri; flowbits:set,critx_ie; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30969; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to font exploit"; flow:to_client,established; flowbits:isset,critx_font; file_data; content:"/x-silverlight-2"; content:".eot"; distance:0; content:"aHR0cDov"; distance:0; pcre:"/^[\w+\/]+(?:(?:LmVvdA|5lb3Q)==?|uZW90)[\x22\x27]/Rsi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30968; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"createFlashMarkup"; content:".swf"; distance:0; pcre:"/[a-zA-Z0-9]\/[a-f0-9]{5}\.swf[\x22\x27]/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30967; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Microsoft Internet Explorer exploit"; flow:to_client,established; flowbits:isset,critx_ie; file_data; content:"behavior:url(#default#VML"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"jnlp_embedded"; content:"C9qbmxwPg=="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30965; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:70<>82; content:"= HTTP/"; fast_pattern:only; content:"User-Agent"; http_header; pcre:"/^\/[-\w]{70,78}==?$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:service http; classtype:trojan-activity; sid:31046; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|21 3B E3 70 65 6E 66 64|"; depth:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31130; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E F2 32 30 34 6E 68|"; depth:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31129; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound swf request"; flow:to_server,established; content:"/1"; http_uri; content:".swf"; fast_pattern:only; http_uri; pcre:"/^(?:\/\d{9,10})?(?:\/[16])?\/1[34]\d{8}\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31237; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound jar request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/modules\/\d\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31232; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/load_module.php?user="; fast_pattern:only; http_uri; pcre:"/\/load_module\.php\?user\=(n1|1|2|11)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31231; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/add_visitor.php?referrer=http://"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31230; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31229; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"#default#VML"; fast_pattern:only; content:"*/var "; isdataat:500,relative; content:"|3B|function "; within:50; pcre:"/\x3bfunction\s(?P<name>\w)\x28.*\x3b(?P=name)\x28\x22[\da-z]+\x22\x29\x3b/"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:31298; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit decryption page outbound request"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\sHTTP/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31279; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".mkv"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.mkv/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31278; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle Java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".djvu"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.djvu/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31277; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:35; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\/\d+\.\d+\.\d+\.\d+\//"; flowbits:set,file.exploit_kit.flash; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0634; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31276; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit landing page"; flow:to_client,established; content:"*/adv=|27|OrbitWhite|27|/* "; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31275; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit encrypted binary download"; flow:to_client,established; content:"filename="; content:".jat"; distance:0; pcre:"/filename=[a-z]+\.jat/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31274; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:65,norm; content:"User-Agent"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{64}$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:31332; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E C2 32 61 34 6E 68|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31331; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body style=|22|margin|3A|0px|3B 22|><body style=|22|margin|3A|0px|3B 22|>"; fast_pattern:only; content:"<iframe src=|22|http|3A 2F 2F|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31372; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:"Cache-Control|3A 20|no-cache|0D 0A 0D 0A|"; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1\.[^\x2f]+Host\x3a\x20[^\x3a]+\x3a\d+\x0d\x0a/"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31371; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit redirection page"; flow:to_client,established; file_data; content:"var|20|"; content:"|3B 20|var|20|"; within:20; distance:5; content:"|3B 20|if(!Array.prototype.indexOf){"; within:50; distance:5; content:"this.length|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31370; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; pcre:"/^\/\d{2,4}\.xap$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31369; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request"; flow:to_server,established; content:".x HTTP/1."; fast_pattern:only; content:" MSIE "; http_header; content:!"Referer"; nocase; http_header; flowbits:set,file.exploit_kit.silverlight; flowbits:noalert; metadata:service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31701; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit landing page detection"; flow:to_client,established; file_data; content:"<li class=|22|is-new|22|>"; content:"<a href=|22|show.php"; within:17; distance:1; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31700; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|71 75 B9 86 D8 51 1B 7B|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31699; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 36 F4 6F 6D 6A 66 67|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31695; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B 28 FF 53 4B 75 39 68|"; depth:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31694; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page detected"; flow:to_client,established; file_data; content:"=|22|1|3B|url=about|3A|Tabs|22 20|http-equiv"; fast_pattern:only; content:"|5C|x72|5C|x65|5C|x70|5C|x6C|5C|x61|5C|x63|5C|x65"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31692; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detection"; flow:to_client,established; file_data; content:"=|27|+|27 20 22|re|27|+|27|pl|27|+|27|ac|27|+|27|e|22 3B 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31734; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt"; flow:to_client,established; content:"jquery_datepicker"; fast_pattern:only; pcre:"/(var jquery_datepicker=)|(jquery_datepicker.replace)/"; metadata:impact_flag red, service http; reference:url,malware-traffic-analysis.net/2014/08/18/index.html; classtype:trojan-activity; sid:31770; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port"; flow:to_server,established; content:"/stargalaxy.php?nebula="; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31769; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"ZWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31903; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"CWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31902; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected"; flow:to_client,established; file_data; content:"9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31901; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected"; flow:to_client,established; file_data; content:"nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31900; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected"; flow:to_client,established; file_data; content:"SYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6Qty"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31899; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|22 29 3B 0A 0D 0A|</script>"; fast_pattern; content:"</script>|0A|<script>"; within:150; content:"|0A 0D 0A|</script>|0D 0A|<h"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31898; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8087 (msg:"EXPLOIT-KIT Scanbox exploit kit exfiltration attempt"; flow:to_server,established; content:"projectid="; depth:10; nocase; content:"&seed="; within:40; nocase; content:"&ip="; within:40; nocase; content:"&referrer="; within:40; nocase; content:"&agent="; within:40; nocase; content:"&location="; within:250; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31859; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_server,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31858; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_client,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31857; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit redirection attempt"; flow:to_server,established; urilen:>60,norm; content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Referer|3A 20|"; http_header; content:"x-req|3A 20|"; fast_pattern; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31970; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit landing page"; flow:to_client,established; file_data; content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f"; distance:0; fast_pattern; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31965; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"expires=|22|+expires.toGMTString()"; nocase; content:"51yes.com/click.aspx?"; fast_pattern; nocase; content:"|22|gb2312|22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31988; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32390; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Oracle Java request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/14\d{8}(.jar)?$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32389; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"*/ new Function(|22|"; content:"|22|,|22|if("; within:20; content:" != |27 27|){"; pcre:"/new\sFunction\x28\x22(?P<a1>\w+)\x22\,\x22if\x28(?P=a1)\x20/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32388; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit jar file download"; flow:to_client,established; content:"filename="; content:".swf"; within:4; distance:8; file_data; content:"PK|03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32387; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound structure"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-9]+(\x3b\d)+?)?$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32386; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound Oracle Java request"; flow:to_server,established; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:" Java/1."; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:32399; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request"; flow:to_server,established; content:"/Plugin.jar"; http_uri; content:" Java/1."; http_header; content:"="; depth:1; offset:32; http_cookie; pcre:"/[a-f0-9]{32}=[a-f0-9]{32}/C"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32555; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hellspawn exploit kit landing page detected"; flow:to_client,established; file_data; content:"weCameFromHell(|27|<applet name=|22|Update Java"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32554; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port"; flow:to_server,established; content:"GET"; content:".jnlp HTTP/1.1"; distance:0; content:" Java/1."; content:"Host"; content:"|3A|"; distance:0; pcre:"/(applet|testi)\.jnlp\sHTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32641; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection"; flow:to_server,established; content:"GET /"; content:".php?"; fast_pattern:only; pcre:"/\w+\.php\?\w+\=\d+\s*HTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32640; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port"; flow:to_server,established; content:"GET"; content:".jar HTTP/1.1"; distance:0; content:" Java/1."; content:"Host|3A|"; pcre:"/Host\x3a[^\n]+\x3a\d+\r\n/"; metadata:service http; classtype:trojan-activity; sid:32639; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port"; flow:to_server,established; content:"GET /"; content:"x-flash-version|3A 20|1"; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; pcre:"/Referer\x3a[^\n]+\x3a\d+\x2f/"; metadata:service http; classtype:trojan-activity; sid:32638; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT known malicious javascript packer detected"; flow:to_client,established; file_data; content:"function|28 2F 2A|"; content:"|2A 2F|p,|2F 2A|"; within:25; content:"|2A 2F|a,|2F 2A|"; within:25; content:"|2A 2F|c,|2F 2A|"; within:25; content:"|2A 2F|k,|2F 2A|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/; classtype:misc-activity; sid:32804; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CK exploit kit landing page"; flow:to_client,established; file_data; content:"=|22|i|22|+|22|m|22|+|22|g|22 3B|"; content:"=|22|s|22|+|22|r|22|+|22|c|22 3B|"; within:14; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32803; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; urilen:>36; content:"/ABs"; fast_pattern:only; http_uri; pcre:"/^\/ABs[A-Za-z0-9]+$/U"; flowbits:set,Nuclear; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32880; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit payload delivery"; flow:to_client,established; flowbits:isset,Nuclear; content:"X-Powered-By|3A 20|"; http_header; content:"application/octet-stream"; http_header; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:"filename="; distance:0; http_header; pcre:"/filename=[a-z0-9]+\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32879; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32878; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/13"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}(?:\.swf)$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32877; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})(?:\.xap)$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32876; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit Adobe Flash download"; flow:to_client,established; flowbits:isset,file.nuclear.flash; content:"x-shockwave-flash"; http_header; content:"filename="; distance:0; http_header; content:".swf"; distance:0; http_header; pcre:"/filename\=\d+\.swf/H"; content:"ZWS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32995; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; file_data; content:"|12 73 00 00 62 05 24 01 C5 25 FF 01 A8 63 05 62 03 62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33187; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8 63 06|"; content:"|62 06 66 01 25 FF 01 A8 C5 25 FF 01 A8 63 09|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33186; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B C7 6A 1E 7C C2 43 EA|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33185; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash download"; flow:to_client,established; content:"Expires|3A| Sat, 26 Jul 2007 05|3A|00|3A|00 GMT"; fast_pattern:only; http_header; content:"x-shockwave-flash"; nocase; http_header; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33184; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2039"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33183; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request"; flow:to_server,established; urilen:49,norm; content:"Referer"; http_header; content:"x-flash-version|3A|"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{48}$/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33182; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33274; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33273; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33272; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33271; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|80 E2 3F 18 CF F1 3D 00 C4 1C 6E 7A 9F A6 2F 5D 04 11 2E BF C5 79 FC FC 26 2F F0 88 C6 76 1D C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33286; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"allowScriptAccess=always"; fast_pattern:only; content:"param name=FlashVars"; nocase; content:"value"; within:25; nocase; content:"exec="; within:25; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:33292; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound uri structure"; flow:to_server,established; urilen:27; content:"/lists/"; fast_pattern:only; http_uri; pcre:"/^\/lists\/\d{20}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33663; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>170,norm; content:"/?"; depth:2; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33906; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>220,norm; content:"/index.php?"; depth:11; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; content:"/?"; http_header; content:"=l3S"; http_header; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33905; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit obfuscated file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A 3F 0B D4 6C 4F 48 61 50|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33983; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"</script></head>|0D 0A|<body>|0D 0A|<h"; fast_pattern:only; content:"<textarea id=|27|"; content:"|27| title=|27|"; within:25; content:"|27| name=|27|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33982; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit flash file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A|ZWS"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33981; rev:2;)