Rule History

SID: 2019672 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 3 • Nov 7, 2014, 12:00 PM

Message:

ET EXPLOIT_KIT Possible HanJuan EK Flash Payload DL

Rule:

alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Flash Payload DL"; flow:established,to_server; http.uri; content:"/"; content:".php"; endswith; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; content:"|0d 0a|Cache-Control|0d 0a|"; classtype:exploit-kit; sid:2019672; rev:3; metadata:created_at 2014_11_07, confidence Medium, signature_severity Major, updated_at 2024_02_23;)

Created:

Nov 7, 2014, 12:00 PM

Updated:

Feb 23, 2024, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-exploit_kit.rules