The last few days I have seen the Rig Exploit Kit traffic on the networks I look after. Fireeye has been doing a decent job and picking up the traffic.
There has been a good article written by Sans Storm Centre that can do a far better job than myself of explaining and analyzing the traffic.
So there is quite a simple rule that can be written in RSA to identify this type of traffic.
You rule can be setup as follows
query contains 'PrfJxzFGMSUb'
The string has been present in the traffic I have seen on the networks I look after and various pcaps available. If you look at the strings closely you will see there are several parts of the query that appear to be in common.
So far I have had great success with this effective but simple rule.