RSA Admin

Using NetWitness and/or Security Analytics to detect Java exploit drive-bys

Discussion created by RSA Admin Employee on Aug 26, 2013
Latest reply on Aug 28, 2013 by RSA Admin

Hi All,


I was wondering if anyone had an good drills for specifically detecting drive-bys that target Java exploits?


The following rule is useful for detecting attempts to download malware payloads following exploitation


     client regex "java/1.6.0_([0-9]|[1][0-9]|[2][0-6])" && content = "application/pdf","application/x-msdownload","application/x-shockwave-flash"

However I was looking for some drills for specifically identifying the actual drive-by stage of the attack?