Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

[Community Signatures <lists () packetmail net>]

On 03/13/12 11:03, Joel Esler wrote:
> Well, we have a rule that fires on that initially..
>
> 21347
>
> But it's set to noalert as we think it'll be FP prone.
>
> Thoughts?

Ouch I completely missed that one, it's new and wasn't in my tarball.
Yes, it will false-positive I had tried something similar and the URI
structures in a few sites, especially video sites, cause it to false.
It is worth setting a flowbit though.

I'm open to your opinion, I do think there to be value in detection of a
terse/basic 'document.location' redirect.  Perhaps something like with
the direction $EXTERNAL_NET -> $HOME_NET:

file_data; content:"document.location="; depth:18; content:".php?";
along with the PCRE in 21347 without the /U flag -- this will catch more
than just the "showthread.php" variant.

I assume file_data with depth:18 will match on equiv of content:"|0d 0a
0d 0a|document.location="; with no normalized buffer.  I appreciate any
corrections here if I'm wrong.

PS -- The PCRE in 21347 needs an escape on the period in ".php"... well
I guess it doesn't matter because of the content match, but I think you
intend one to be there.

Thanks,
Nathan

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!