Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"
From: Community Signatures <lists () packetmail net>
Date: Wed, 29 Feb 2012 15:35:13 -0600
On 02/29/12 15:19, Matt Olney wrote:
Since you're associating with an exploit kit, rather than an active trojan, and given that exploits are typically aimed at user applications, I'd use classtype:attempted-user;
Understood, on the ET side we tend to use trojan-activity because the point of the exploit kit is to install a trojan/malware. I always viewed attempted-user as privilege escalation. I may just leave classtype off and let VRT apply this and the metadata as they feel fit.
Because it is a file, and you're not using any http_inspect buffers, we'd use $FILE_DATA_PORTS in case it is delivered via mail (saw one like that yesterday).
Thanks Matt, can you elaborate more on this as I've not seen this behavior before, where Blackhole is delivered via mail. I have seen mailing campaigns that include a link which, upon landing, is Blackhole. I don't disagree with your changes over $HTTP_PORTS but I have not seen this behavior especially with SMTPDs
Again, primarily cosmetic changes, and does nothing, in this simple case, to modify the functionality of the rule.
Thank you for taking the time to explain the changes and current convention. Thanks, Nathan ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Proposed (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Signatures (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Feb 29)