Re: Proposed Signatures - Blackhole Exploit Kit

["lists () packetmail net" <lists () packetmail net>]

On 03/13/12 16:57, Joel Esler wrote:
> Nathan, fixed up to:
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
> flow:to_client,established; flowbits:isset,file.pdf; file_data;
> content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> classtype:trojan-activity; sid:21583; rev:1;)

I strongly believe you need a fast_pattern on the "qwe123" string as it is the
most likely to be globally unique as compared to "%PDF-1.6".  Disagree?

Also "malicioius" was misspelled so corrected but this would have been likely
caught in QA so just pointing it out so it's not overlooked, not being pedantic.

I do agree looking for %PDF-1.6 even with the file.pdf flowbit check is wise, I
don't recommend dropping this.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:21583; rev:1;)

Thanks,
Nathan

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!