One of the many ways to look for Exploit Kit/drive-by behavior. By default, this script looks for a common exploit type: Java JAR (zip), Java Applet, or PDF that precedes a DOS executable. The behavior is tracked by source IP and a 2min window is allowed for an exploit type and exec to be seen. Additionally, all DOS executables downloaded via HTTP with a User-Agent that contains 'Java/' will be flagged.

Notices are generated for the suspicious file combination, and for the JVM downloading executable content.

Created and tested on Bro 2.3.1 Tested on Bro 2.4

Sample log entry:

1361476708.927624   CPwyRm2zRnv9IuUYzg  148.163.63.34   4160    85.17.141.99    80  -   -   -   tcp ExploitKit::SuspiciousDownloads Suspicious File Combination:  application/pdf, application/x-dosexec    Filename: aN_tXQEp.exe  148.163.63.34   85.17.141.99    80  -   bro Notice::ACTION_LOG  3600.000000 F   -   -   -   -   -