Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"

[Community Signatures <lists () packetmail net>]

On 02/29/12 15:19, Matt Olney wrote:
> Since you're associating with an exploit kit, rather than an active
> trojan, and given that exploits are typically aimed at user
> applications, I'd use classtype:attempted-user;

Understood, on the ET side we tend to use trojan-activity because the
point of the exploit kit is to install a trojan/malware.  I always
viewed attempted-user as privilege escalation.  I may just leave
classtype off and let VRT apply this and the metadata as they feel fit.

> Because it is a file, and you're not using any http_inspect buffers,
> we'd use $FILE_DATA_PORTS in case it is delivered via mail (saw one like
> that yesterday).

Thanks Matt, can you elaborate more on this as I've not seen this
behavior before, where Blackhole is delivered via mail.  I have seen
mailing campaigns that include a link which, upon landing, is Blackhole.
 I don't disagree with your changes over $HTTP_PORTS but I have not seen
this behavior especially with SMTPDs

> Again, primarily cosmetic changes, and does nothing, in this simple
> case, to modify the functionality of the rule.

Thank you for taking the time to explain the changes and current convention.

Thanks,
Nathan


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!