Security Incidents mailing list archives
Re: A new technique to disguise a target URL in spam
From: Valdis.Kletnieks () vt edu
Date: Mon, 05 Apr 2004 17:26:58 -0400
On Mon, 05 Apr 2004 12:43:42 CDT, Stef <stefmit () comcast net> said:
Now how would one go about writing filters for - let's say - Snort - based on something like this? Could it be - in pseudo-code - something like: if location.ref <> src ==> then "take action"? Would it be safe to assume that everything where the location.ref is different than src is malicious?
The problem is that you get obfuscated code, where they've rot-13'ed it or similar. You very quickly get into the Turing Halting Problem unless you put your foot down and declare anything over XYZ amount of obfuscation is automatically suspect.... I'm not sure I'd want to try to do that in a Snort or tcpdump filter though. :)
Attachment:
_bin
Description:
Current thread:
- A new technique to disguise a target URL in spam DCISS (Apr 05)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 05)
- Re: A new technique to disguise a target URL in spam Stef (Apr 05)
- Re: A new technique to disguise a target URL in spam Valdis . Kletnieks (Apr 05)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 06)
- Re: A new technique to disguise a target URL in spam Stef (Apr 05)
- <Possible follow-ups>
- RE: A new technique to disguise a target URL in spam Mason, Seth IFC (Apr 05)
- Re: A new technique to disguise a target URL in spam E.Kellinis (Apr 05)
- RE: A new technique to disguise a target URL in spam Yao, Tongtong (HP NewZealand) (Apr 05)
- Re: A new technique to disguise a target URL in spam http-equiv () excite com (Apr 08)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 05)