Snort mailing list archives
Re: Proposed Signatures - Blackhole Exploit Kit
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Mar 2012 16:46:01 -0400
Do you have a pcap for the first one? We have a second one in testing right now that will replace 21492 and is similar to your second one. J On Tue, Mar 13, 2012 at 1:09 PM, Community Proposed <lists () packetmail net>wrote:
The Blackhole PDFs are consistent in structure and "fluff", I've had
very good luck in identifying commonalities in the PDF structures used
by the Blackhole Exploit Kit.
One of these commonalities is the presence of "qwe123" in the PDFs.
This has been present for some time now, if not multiple months. Joel,
let me know if you need PCAPs for this, I believe you'll find it in most
of yours already.
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS qwe123 PDF"; flow:to_client,established; file_data;
content:"%PDF-1.6"; content:"|20 28|qwe123"; fast_pattern:only;
classtype:trojan-activity; sid:436520771; rev:1;)
Additionally, I'm using this signature as an alternative to 21492 rev 5.
I'm
having some false positives with SID 21492 rev 5, so much so I've had to
disable it :( It may be better to revert to rev 3-4 where we're just
catching
"catch(qq" and using the below as well:
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS Blackhole Landing with prototype catch";
flow:to_client,established; file_data;
content:"if(window.document)try{new|20|"; content:".prototype}catch(";
distance:0; fast_pattern; sid:436520770; rev:1;)
Joel, let me know if you need PCAPs. I highly recommend 436520770 and
reverting 21492 rev 5.
Thanks,
Nathan
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signatures - Blackhole Exploit Kit Community Proposed (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)