Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Mar 2012 12:03:19 -0400
Well, we have a rule that fires on that initially.. 21347 But it's set to noalert as we think it'll be FP prone. Thoughts? On Tue, Mar 13, 2012 at 11:57 AM, Community Signatures <lists () packetmail net
wrote:
On 03/13/12 10:43, Joel Esler wrote:So an additional rule may not add value.Well, looking at these SIDs that fired they're not so much related to the initial landing redirect (document.location) which I feel is as important as the landing page itself. The landing page and it's content can vary, however, I believe there to be value in detection of the specific terse structure of the landing redirect itself, in this case nothing more than a document.location statement to the 16-byte hex Blackhole landing page on showthread.php (VBulletin emulation anyone?) I think there's still value in the proposed as there isn't any 1:1 overlap, just SIDs firing *after* landing. Disagree? The PCRE is missing an escape for period in "showthread.php" -- sadly this still doesn't make it fire (argh). Thanks, Nathan
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Proposed (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)