One of the many ways to look for Exploit Kit/drive-by behavior. By default, this script looks for a common exploit type: Java JAR (zip), Java Applet, or PDF that precedes a DOS executable. The behavior is tracked by source IP and a 2min window is allowed for an exploit type and exec to be seen. Additionally, all DOS executables downloaded via HTTP with a User-Agent that contains 'Java/' will be flagged.
Notices are generated for the suspicious file combination, and for the JVM downloading executable content.
Created and tested on Bro 2.3.1 Tested on Bro 2.4
Sample log entry:
1361476708.927624 CPwyRm2zRnv9IuUYzg 148.163.63.34 4160 85.17.141.99 80 - - - tcp ExploitKit::SuspiciousDownloads Suspicious File Combination: application/pdf, application/x-dosexec Filename: aN_tXQEp.exe 148.163.63.34 85.17.141.99 80 - bro Notice::ACTION_LOG 3600.000000 F - - - - -