Snort mailing list archives
Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"
From: Community Proposed <lists () packetmail net>
Date: Wed, 29 Feb 2012 11:39:51 -0600
Below is a proposed signature to detect the try{ catch()} approaches used by the Blackhole exploit kits which to date share a commonality with the attachment to "catch(qq". Looking at all of my PCAP samples these match nicely, perform well, and have not been prone to false positives. This is also doing very well in detecting new Blackhole initial landings and the various, near daily, changing permutations of the string splitting/building methods. I am seeing a large presence of legitimate sites which have been compromised now delivering Blackhole. Some of these are k12 US education/school sites. 21438 can be retired in place of the proposed above. Joel, existing PCAPs for Blackhole landings should suffice for validation of the above, if more are needed, please let me know. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq structure"; flow:established,from_server; content:")|3b|}catch(qq"; fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;) I know there is a VRT standard for writing these, please respond to me after transforming the rule for compliance so that future submissions can adhere to this standard. The reference from 21438 can be used here. Thanks, Nathan ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Proposed (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Signatures (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Feb 29)