Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proposed Signatures - Blackhole Exploit Kit

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Mar 2012 20:55:05 -0400
That's a pretty old version of PDF marking. It's almost worth it to sig
that. ;)

It's a negligible difference as far as performance goes  in my testing.
It's more worth it, IMO, to ensure that the qwe123 is after the PDF content
match. At least it's in the file. I'll check again.

I'm also future proofing the rule for future enhancements to the Snort
engine.  By doing what I did.

The flowbit check is also a future proof.

Thanks for the misspelling note.

On Tuesday, March 13, 2012, lists () packetmail net <lists () packetmail net>
wrote:

On 03/13/12 16:57, Joel Esler wrote:

Nathan, fixed up to:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:21583; rev:1;)


I strongly believe you need a fast_pattern on the "qwe123" string as it

is the

most likely to be globally unique as compared to "%PDF-1.6".  Disagree?

Also "malicioius" was misspelled so corrected but this would have been

likely

caught in QA so just pointing it out so it's not overlooked, not being

pedantic.


I do agree looking for %PDF-1.6 even with the file.pdf flowbit check is

wise, I

don't recommend dropping this.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:21583; rev:1;)

Thanks,
Nathan



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: