Rule

--
Sid
23218

--
Summary:
This event is generated when a series of requests related to the RedKit exploit kit are generated by a machine in the process of exploitation.

--
Impact:
Likely malicious content hosted on the web page being downloaded.

--
Detailed Information:
The RedKit exploit kit uses a distinct URL scheme for hosting the actual malicious files used during the process of exploiting a client system. When a user is directed to a copy of this exploit kit, several requests with an identical structure will be made, as the kit sends down all of the exploits in its arsenal. Whether the client has been successfully attacked will depend on its patch level against the exploits in question.

--
Affected Systems:
All web browsers are potentially vulnerable to malicious content hosted on sites like this.

--
Attack Scenarios:
Clients would be lured into visiting this exploit kit via phishing emails, poisoned search results, etc.

--
Ease of Attack:
Simple. Exploits exist.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Examine the packet for signs that the rest of the page contained maliciou data. Check for other IDS or other tool events related to the TCP stream in question. Verify patch levels and antimalware solutions, such as FireAMP, on the endpoint host. If exploitation appears to have occurred, consider rebuilding the impacted machine.

--
Contributors:
Sourcefire Vulnerability Research Team

--
Additional References:

None. 
--
