Snort mailing list archives
Re: Proposed Signatures - Blackhole Exploit Kit
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 13 Mar 2012 19:37:19 -0500
On 03/13/12 16:57, Joel Esler wrote:
Nathan, fixed up to: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21583; rev:1;)
I strongly believe you need a fast_pattern on the "qwe123" string as it is the most likely to be globally unique as compared to "%PDF-1.6". Disagree? Also "malicioius" was misspelled so corrected but this would have been likely caught in QA so just pointing it out so it's not overlooked, not being pedantic. I do agree looking for %PDF-1.6 even with the file.pdf flowbit check is wise, I don't recommend dropping this. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21583; rev:1;) Thanks, Nathan ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signatures - Blackhole Exploit Kit Community Proposed (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)