Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

[Joel Esler <jesler () sourcefire com>]

Well, we have a rule that fires on that initially..

21347

But it's set to noalert as we think it'll be FP prone.

Thoughts?

On Tue, Mar 13, 2012 at 11:57 AM, Community Signatures <lists () packetmail net
> wrote:

> On 03/13/12 10:43, Joel Esler wrote:
> > So an additional rule may not add value.
>
> Well, looking at these SIDs that fired they're not so much related to
> the initial landing redirect (document.location) which I feel is as
> important as the landing page itself.
>
> The landing page and it's content can vary, however, I believe there to
> be value in detection of the specific terse structure of the landing
> redirect itself, in this case nothing more than a document.location
> statement to the 16-byte hex Blackhole landing page on showthread.php
> (VBulletin emulation anyone?)
>
> I think there's still value in the proposed as there isn't any 1:1
> overlap, just SIDs firing *after* landing.  Disagree?
>
> The PCRE is missing an escape for period in "showthread.php" -- sadly
> this still doesn't make it fire (argh).
>
> Thanks,
> Nathan


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!