Snort mailing list archives
Re: Proposed Signatures - Blackhole Exploit Kit
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Mar 2012 20:55:05 -0400
That's a pretty old version of PDF marking. It's almost worth it to sig that. ;) It's a negligible difference as far as performance goes in my testing. It's more worth it, IMO, to ensure that the qwe123 is after the PDF content match. At least it's in the file. I'll check again. I'm also future proofing the rule for future enhancements to the Snort engine. By doing what I did. The flowbit check is also a future proof. Thanks for the misspelling note. On Tuesday, March 13, 2012, lists () packetmail net <lists () packetmail net> wrote:
On 03/13/12 16:57, Joel Esler wrote:Nathan, fixed up to: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21583; rev:1;)I strongly believe you need a fast_pattern on the "qwe123" string as it
is the
most likely to be globally unique as compared to "%PDF-1.6". Disagree? Also "malicioius" was misspelled so corrected but this would have been
likely
caught in QA so just pointing it out so it's not overlooked, not being
pedantic.
I do agree looking for %PDF-1.6 even with the file.pdf flowbit check is
wise, I
don't recommend dropping this. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21583; rev:1;) Thanks, Nathan
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signatures - Blackhole Exploit Kit Community Proposed (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)